Hi, Jean,
On Thu, 2021-06-10 at 08:23 -0400, Jean St-Laurent wrote:
> Let's start with this example. When I click sync my clock in windows,
> this happened.
>
> On the inside or Private side
> 08:15:07.434344 IP 192.168.254.205.123 > 13.86.101.172.123: NTPv3,
> Client, length 48
> 08:15:07.47368
On 6/10/2021 4:04 AM, Fernando Gont wrote:
Hi, Blake,
Thanks a lot for your comments! In-line
On Fri, 2021-06-04 at 11:13 -0500, Blake Hudson wrote:
Current gen Cisco ASA firewalls have logic so that if the connection
from a private host originated from a privileged source port, the
NAT
find the devices that don't follow this behaviour, right?
Jean
-Original Message-
From: Fernando Gont
Sent: June 10, 2021 7:09 AM
To: j...@ddostest.me; nanog@nanog.org
Subject: Re: NAT devices not translating privileged ports
Hi, Jean,
On Thu, 2021-06-10 at 06:54 -0400, Jean
Hi, Jean,
On Thu, 2021-06-10 at 06:54 -0400, Jean St-Laurent via NANOG wrote:
> Hi Fernando,
>
> NTP sounds simple but it could be very complex when you dig deep down
> and/or get lost in details.
> Here are 2 things to consider:
>
> 1. NTP clients can query NTP servers by using SRC UDP ports >
Hi Fernando,
NTP sounds simple but it could be very complex when you dig deep down and/or
get lost in details.
Here are 2 things to consider:
1. NTP clients can query NTP servers by using SRC UDP ports > 1024.
2. NTP servers cannot query/sync/communicate to another NTP server when using
SRC
Hi, Bjørn,
On Thu, 2021-06-10 at 12:10 +0200, Bjørn Mork wrote:
> Fernando Gont via NANOG writes:
>
> > What has been reported to us is that some boxes do not translate
> > the
> > src port if it's a privileged port.
> >
> > IN such scenarios, NTP implementations that always use src
> > port=12
Fernando Gont via NANOG writes:
> What has been reported to us is that some boxes do not translate the
> src port if it's a privileged port.
>
> IN such scenarios, NTP implementations that always use src port=123,
> dst port=123 might be in trouble if there are multiple NTP clients
> behind the s
Hi, Jean,
On Fri, 2021-06-04 at 08:36 -0400, Jean St-Laurent wrote:
> I believe all devices will translate a privileged ports, but it won't
> translate to the same number on the other side. It will translate to
> an unprivileged port. Is it what you meant or really there are some
> devices that wi
Hi, Blake,
Thanks a lot for your comments! In-line
On Fri, 2021-06-04 at 11:13 -0500, Blake Hudson wrote:
> Current gen Cisco ASA firewalls have logic so that if the connection
> from a private host originated from a privileged source port, the
> NAT
> translation to public IP also uses an
For Linux iptables SNAT (used with --to-source), the default is to change
the packet as little as possible.
https://linux.die.net/man/8/iptables
"If no port range is specified, then source ports below 512 will be mapped
to other ports below 512: those between 512 and 1023 inclusive will be
mapped
Current gen Cisco ASA firewalls have logic so that if the connection
from a private host originated from a privileged source port, the NAT
translation to public IP also uses an unprivileged source port (not
necessarily the same source port though).
I found out that this behavior can cause issu
I believe all devices will translate a privileged ports, but it won't translate
to the same number on the other side. It will translate to an unprivileged
port. Is it what you meant or really there are some devices that will not
translate at all a privileged port?
What are you trying to achieve
12 matches
Mail list logo
