> Generally, NAT is "near" the interface on which it applies. So:
> - at input stage, NAT is applied before filtering
> - at output stage, NAT is applied after the filtering.
>
How general is this information, mouss? It doesn't hold true for Linux IP
Masquerading (at least up to the 2.2 series kernels), AFAIK. I don't know
about other implementations, but ipmasq is a variation of IP forwarding in
Linux ipchains.
> Let's concentrate on input filtering (My guess is this is the case that
> you consider).
> The reason why you NAT first is that only then can the filter know the
> effective destination.
> If you filter before, you might have a situation where all packets are
> going
> to your FW's external address, since they haven't yet been mapped back
> to the private IP address where they're to go.
>
You're differentiating between outbound NAT traffic (output stage) and the
return packets (input stage) here, which is a bit confusing.
> That said, I would love it if one could have a simple filter before the
> NAT
> module
> to configure anti-spoofing rules, such as rejecting packets going to 10.*
> and so.
> While this is not a real problem (the stateful filter or the proxy will
> reject it), it
> is good to know that someone is playing silly games.
>
Well, the Linux kernel's packet filtering code works that way. In kernels up
to 2.2, every packet taverses three steps: input, forward and output. You
can apply basic filtering rules (i.e. accept, deny, reject) at all three
stages. The forwarding stage is enhanced by a PAT action and allows you to
redirect packets to other ports and addresses (I'm not sure on that last
bit, since I've never used it myself). Note that if you use PAT/ipmasq, you
don't need to define a forwarding rule for return traffic. BTW, Linux
ipchains (the 2.2 PF code) is not stateful (save ipmasq).
> > Or maybe is it judicious not to make a
> >distinction between the various types of rules and simply let the user
> >specify the order in which he wants the rules to be applyed..
>
> depends on your NAT.
>
In Linux (2.2), there is no decision, NAT/PAT/ipmasq is part of the kernel's
packet filtering code and is configured in the 'forward' chain. Of course,
you could always use two boxes, one filtering and the other ipmasqing, in
which case I'd probably always filter before ipmasqing, since the ipmasq box
will NAT anything (it doesn't filter in this setup) and the filtering box
couldn't really make much of a decision based on source information..
Lesson: always also filter on Linux ipmasq boxes.
HTH
Tobias
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
