Hmm. Have I got some terminology wrong? I haven't played with Unix for a few years and only _just_ set up linux on my laptop and haven't messed with the firewall stuff yet... The types of NAT I talk about are: Static - You use a real external IP and map ALL ports to a private internal IP (203.18.11.1 -> 192.168.101.5) That one is conceptually easy. Dynamic (aka overloading) You use a real external IP and assign ports as you need them. So, when a request comes _out_ of the internal network, I, Eugene the Router, think "Well. Looks like Bob is surfing porn again. I'll map his ip address to my real IP address, and use _one of my own high port numbers_ as the source port for this transaction." So, off go Bob's packets to www.porn.com <http://www.porn.com> , and back comes the reply to Eugene on port 33000 or whatever. Eugene looks at his NAT mapping table and says "Hmm. Port 33000 - that will be the answer for Bob on internal IP 192.168.2.2, which I'll send to whatever his _real_ source port is." Dynamic mappings are created by outgoing traffic, and how long they last is configurable. They are really best for TCP which has a kind of a conversation (established connection). You can have a faked NAT session for UDP (which doesn't use "connections") by having Eugene remember that Bob just sent some ICQ traffic and opening a temporary hole to allow UDP back from that host. So, Dynamic NAT works for OUTGOING traffic. PAT, Port Address Translation is a special kind of static NAT This is where the Eugene acts as above, but keeps some ports open for INCOMING traffic. Like, for example port 25 or port 80. Eugene can still use high ports on that IP address for overloading, but knows to send traffic from the outside that hits his statically mapped ports to different internal hosts (port 25 might go to 192.168.1.1, port 80 might go to 192.168.1.2). Now, here's where I may have things screwed up. I thought IP masquerading was a way to do transparency for proxy services. In other words, if Bob sends a request to www.porn.com <http://www.porn.com> without checking "use proxies" in his browser (the nasty man) and I have a normal MS Proxy as the ONLY path from internal to external, the Proxy will say "Um, that's not my IP address, dude. I'll just drop this packet, okay?". IP Masquerading (as _I_ call it) is when the box says "Well, that's not my IP address, but I'll pretend like it is, grab the packet, feed it through my WWW proxy (logging the site - you're busted, Bob) and go and get the page." Sorry to post _another_ primer. I suppose this would be in a FAQ somewhere, *blush* Cheers, -- Ben Nagy Network Consultant, CPM&S Group of Companies Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520 -----Original Message----- From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] Sent: Wednesday, May 12, 1999 3:24 AM To: Firewalls List Subject: Re: NAT and firewalls On 11 May 99, at 17:01, John Talbot wrote: > This mapping between internal and external seems to take place: > * Staticly, where one internal IP address is mapped to one external > address > * Dynamicly, where all the internal IP addresses are mapped to a few > external addresses > > My question is how often is the addressing done dynamicly, and if it is, how > can I have applications addressing hosts within my private addressing > domain, if the addresses are masked by NAT. This is, I believe, the case where static mapping is *required*. Note, however, that there is another case which doesn't quite fit either of your definitions above. If you use Linux IP "masquerading", all of your internal addresses map to a *single* external address; this is like your "dynamic" scenario in that the pool of external addresses is smaller than the number of internal addresses mapped onto that pool. BUT, I believe you can statically map a specific internal (IP,port) pair to a specific external port, and this is sufficient to qualify as a static NAT for purposes of allowing external clients to connect to an internal server. David G - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
