Thanks Tony for clarifying, but:
At 11:32 26/02/01 -0800, Tony Rall wrote:
>2. Dynamic NAT
>Internal machines are unreachable until they attempt an external
>"connection". When they do, they are temporarily assigned an external
>address. As long as they keep sending to the outside, within some timeout
>specification, they own that address. Inbound packets destined to it will
>go to the internal machine; while this also could be stateless, but I
>suspect most NAT boxes require that "connections" be initiated by the
>inside machine before allowing the inbound traffic. This is not very
>commonly used either.
That where I don't agree. The NAT part of the implementation assigns public
addresses to outgoing flow, but it _does not reject_ incoming packets if they
are going to a private address. In other words, if I send you a packet with
dest IP=10.1.2.3, then your NAT module will do nothing to this packet. The
filtering part will reject it. This filtering part may be integrated into
your NAT
product, or may be an external module. As an example, ipfilter comes with
ipnat, and the latter doesn't reject packets.
I agree that a packet going to 10.1.2.3 has no reason to come to you, but it's
still possible and I'm using it for the sake of "demonstration".
>3. PAT (port address translation)
>Internal machines are unreachable until they attempt an external
>"connection". When they do, they are temporarily assigned a port on an
>external address (for tcp and udp). Only inbound packets with a source
>specification matching the destination of the original outbound traffic
>will be mapped and forwarded to the internal machine. This must be
>stateful. This method is by far the most commonly used. It does pretty
>thoroughly block inbound connections. This is what most of the folks,
>other than mouss, seem to be talking about in this thread.
I was talking about this too!
>(I use the term "connection" in quotes, because while we really only have
>connections for tcp, the NAT box will typically simulate connections for
>other protocols such as udp and icmp echo.)
>
>And there are certainly other types of NAT in use which are some
>combination of those listed above. A typical example is where all inbound
>traffic to port 25 is statically mapped to a single internal address. This
>acts like static NAT for that particular port (while all the other traffic
>may be using PAT).
>
>It would be helpful if those discussing NAT make clear what type of
>translation they are intending. It usually makes a substantial difference.
I am talking about the most used one: PAT.
Let me be a bit more clear. NAT will translate addresses for outgoing packets,
and for incoming if they match a session; and will ignore any other packet.
The fact that you can configure a NAT box to drop those packets means that
your NAT box contains a packet filter. I'm probably giving much importance to
words meaning, but I believe in clarity:)
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
