Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 3 Jul 2003 02:32:41 +0300
From:      Ruslan Ermilov <ru@freebsd.org>
To:        Chuck Swiger <cswiger@mac.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: Performance improvement for NAT in IPFIREWALL
Message-ID:  <20030702233241.GD48919@sunbay.com>
In-Reply-To: <3F036571.8030609@mac.com>
References:  <3F0316DE.3040301@tenebras.com> <20030702183838.GB4179@pit.databus.com> <3F0327FE.3030609@tenebras.com> <3F0331EE.6020707@mac.com> <3F0350C7.7010009@tenebras.com> <3F036571.8030609@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--tmoQ0UElFV5VgXgH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Jul 02, 2003 at 07:06:25PM -0400, Chuck Swiger wrote:
[...]
> By itself, NAT provides no benefit to security, and some implementations=
=20
> actually reduce the security of the system compared with not running NAT.=
 =20
>=20
Our natd(8) contributes to security somewhat, by providing the
-deny_incoming option.

Also, by using a dedicated IP address for a NAT, and blocking
(with a firewall) all incoming packets that do not match an
already established connections (originated locally, or mapped
with static redirection rules), you secure your NAT host.
(This is even without the -deny_incoming option to natd(8).)
Here's the relevant part of the functioning firewall ruleset:

# Route to the per-interface ruleset.
${fwcmd} add skipto 1000 ip from any to any via ${iif}
${fwcmd} add skipto 2000 ip from any to any via ${oif}
=2E..

# EXTERNAL INTERFACE RULESET

# Spoof protection.
${fwcmd} add 2000 deny ip from ${inet} to any in
=2E..

# NAT.
${fwcmd} add divert natd ip from ${inet} to any out
${fwcmd} add divert natd ip from any to ${nat} in
${fwcmd} add deny ip from any to ${nat} in


Cheers,
--=20
Ruslan Ermilov		Sysadmin and DBA,
ru@sunbay.com		Sunbay Software Ltd,
ru@FreeBSD.org		FreeBSD committer

--tmoQ0UElFV5VgXgH
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE/A2uZUkv4P6juNwoRAj2SAJ9aIe42xbaPocME6I4UxKDvtfAPTQCdGhi/
BiAC1vDJPZmpBY3/m7T7fMQ=
=PYBU
-----END PGP SIGNATURE-----

--tmoQ0UElFV5VgXgH--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030702233241.GD48919>