← Back to context

Comment by jcalvinowens

17 hours ago

If you're asking "where is the listener", you don't need one: https://datatracker.ietf.org/doc/html/rfc9293#simul_connect

10 comments

jcalvinowens

Reply
cperciva  15 hours ago

RFCs may say that simultaneous connect must be allowed, but that doesn't mean that firewalls can't block it. Plenty of setups block incoming SYN,!ACK packets, and if both sides do that, the connection is never getting established.

  • jcalvinowens  8 hours ago

    In my experience most consumer routers are dumber than you're assuming they are, and will DNAT any inbound TCP packet that matches the 4-tuple after seeing the initial outbound SYN, including an inbound SYN. But yes, it doesn't work everywhere.

    I wrote little paper on this technique in school and did some practical tests, at the time I was actually unable to find an example of consumer grade router that it didn't work on! But my resources were rather limited, they certainly do exist.

  • huhtenberg  7 hours ago

    > Plenty of setups block incoming SYN,!ACK packets

    Even in the presence of a conntrack entry created by an earlier outbound SYN,!ACK ?

    Got a source?

    • cperciva  6 hours ago

      I've seen plenty of firewall rulesets over the past 25 years which only consult state after doing some initial stateless inspection.

      I don't have a convenient source though.

      6 replies →