Re: Nmap questions concering my router

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 08/24/05 

Date: Wed, 24 Aug 2005 14:55:02 -0500

In the Usenet newsgroup comp.security.firewalls, in article
<1124827224.709330.89360@o13g2000cwo.googlegroups.com>, Nicky wrote:
>
>Moe Trin wrote:
>

>> Think about that - you want to connect out, so your router masquerades
>> for you. But a TCP connection is two-way, so the remote site has to be
>> able to reply to you, and the router does a dynamic port forwarding
>> back to your system so that the connection is complete.
>
>Yes and also there must be some kind of a NAT table that holds the
>outgoing information on a database(or something similar) when we
>request something(a web page for example.

Yes, but this is dynamic data. Remember that the source port number on
your computer will be a random number above 1024. If you grab a page
off some web server, the entire page (but not including embedded URLs
that may have to be fetched) is downloaded as one connection. If you
decide to pull up another page, that is a new connection, and your
computer will use a different source port. When each connection is
closed, the router forgets about it as it's no longer a connection.

>> The application only need to worry about connecting to a network, and
>> have that move the packets to the desired (other) application on the
>> system. We don't have to care what that other application is, or how
>> it may differ from other applications - we just send data to a network
>> address.
>
>Sorry but i still dont follow.

If you press keys on your keyboard, the letters end up in some application
on your display. How did they get there? Is the keyboard directly attached
to that application? Move the mouse to another application, and type some
more. The letters no longer go to the first application, they go to the
second. How did they change destination - the keyboard is now apparently
connected to the second application. Perhaps the keyboard is connected
to your window manager? (Don't forget, I'm running X here, and not
microsoft windoze.) Now press and hold the left Ctrl and Alt keys, and
press the F2 key - hmmm, a new (text based) login prompt. This isn't
using the window manager, as typing your username and password gets you
into the computer as another session. How is the keyboard attached to
the first application, then the second, and now this text session? (Press
the left Alt key and the F7 key, and that should return you to the X
desktop.)

So, the keyboard isn't attached to the desktop, but is connected to the
computer. How do the keystrokes get to the application you have selected
as opposed to some random place on the screen? The answer is that the
keyboard is connected to a tiny program running on the O/S, and that
program makes a network connection to the applications. In X (and windoze),
the mouse cursor position tells the O/S which application is to receive
the keystrokes. Thus, when you move your mouse to another application,
the O/S changes the destination of the keystrokes, and your application
doesn't have to know about all of the other things that are going on.

>> Without "special" or "extra" software, when there are multiple interfaces
>> on the same computer on the same network, the computer will _listen_ to
>> all addresses (and may listen using just one interface to receive all
>> three - depends on the O/S)
>
>I cant understand this!! How can the computer listen to 10.0.0.1,
>10.0.0.2 and 10.0.0.3 by the same interface. these 3 ip addresses are
>assigned to 3 different nics!

Yes, but those are IP addresses - and the NIC doesn't know about those.
It knows MAC addresses. Now how does the "remote" system on your LAN
(your router) know which interface to send the packet to? It only knows
IP addresses. So, it uses the ARP protocol to find the MAC address, and
your computer answers "I am 10.0.0.1". But which interface answers? With
most O/S and without extra software, only one interface talks - EVEN IF
IT HAS THE "CORRECT" IP ADDRESS OF ANOTHER INTERFACE. Why? The O/S looks
at the _routing table_ to see which interface to use - it doesn't look
at the /sbin/ifconfig output. The routing table shows three entries to
the same network - which one to use? Do you pick one at random? Do you
try to figure out which interface matches your source address? Or do you
just pick one (depending on the O/S, the first or last one configured)
and use that. You would like choice two (appropriate interface), but
that takes extra CPU cycles to determine, and very few people ever run
more than one NIC on a computer on the same network - so few people even
need the code to determine this. This goes back to the origins of
networking, when one network meant a single coax (or the equivalent),
and only one NIC could "talk" at one time. Thus, there was no benefit
to have more than one NIC on the same computer connected to the same wire
because you could only use one at a time anyway.

>Btw what the expression "Push this up the stack" means?

If we speak 'drivers' in the microsoft form, think that the application
sends packets to the correct protocol driver (TCP, UDP, ICMP, and so on)
and that driver sends the packets to the IP driver, which sends the
packets to the NIC driver, which actually causes the hardware to put the
bits on the wire. Coming back, the NIC driver converts the bits on the
wire to an IP packet, and hands this to the IP driver which strips off
the IP headers and hands the packet to the protocol driver, which strips
off the TCP header and figures out which application gets this packet.

>So what happens when the packet reaches 10.0.0.138 and gets inspected
>seeing that its final dest is 83.151.221.52? it gets dropped/rejected?

No, my name is "10.0.0.138" AND "83.151.221.52" (and "127.0.0.1"), and
this packet is for me. Here "IP Driver", take care of this. (OK, this
is a TCP packet - here you are TCP Driver - take care of this.) (Hmmm,
this packet is for the web server - hey, Apache - I've got something for
you.)

>Also what do you mean by saying "(which would go on the loopback
>anyways)" ?
>Only eth* are sent though the loopback interface, no?

If you are 10.0.0.138, and you have a packet for 83.151.221.52, who do
you send this to? We already decided, this is "me", so I must be
trying to talk to myself - send it via the loopback. In the case
above (packet received from the 10.0.0.0/24 network on 10.0.0.138 and
destined for 83.151.221.52), we wouldn't even waste CPU cycles sending
it to the loopback, because the IP Driver recognized this packet is
for "me".

        Old guy

Relevant Pages

  • Re: Wireless internet concerns
    ... but I think it might be called ESSID? ... > load and use a Windows XP driver when no native Linux module ... > The effect is to create a network interface to the device, ... > the device has no current connection to an AP. ...
    (comp.os.linux.misc)
  • Re: Nmap questions concering my router
    ... Once a connection is established, ... > it may differ from other applications - we just send data to a network ... > local wire, you may relay the packet from 'Nicky' to the router, but I ... > all addresses (and may listen using just one interface to receive all ...
    (comp.security.firewalls)
  • Re: calling a method of the interface which was not implemented in any class
    ... > Iam a java programmer actually i want to know how the Connection ... > DriverManager class is not implements Connection interface and no class ... JDBC driver is usually provided by the database vendor, ...
    (comp.lang.java)
  • Re: [stable] A patch in 2.6.27.9 caused device names to change
    ... replaced my wireless adapter's /dev/ttyACM0 interface with three interfaces: ... That broke my ppp connection scripts. ... what's with replacing working devices with the cdc-acm driver with ... If it says it is a cdc-acm modem, ...
    (Linux-Kernel)
  • Re: binat with multihoming
    ... packets that flow in the reverse direction. ... If you filter on all interfaces, you can use route-to and reply-to ... And passing a connection on one interface does ...
    (comp.unix.bsd.openbsd.misc)