From owner-freebsd-net@FreeBSD.ORG  Wed Jul  2 16:32:51 2003
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0F01737B401; Wed,  2 Jul 2003 16:32:51 -0700 (PDT)
Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua
	[212.110.138.65])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 7F80A43F93; Wed,  2 Jul 2003 16:32:47 -0700 (PDT)
	(envelope-from ru@sunbay.com)
Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1])
	h62NWfVU063369
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 3 Jul 2003 02:32:42 +0300 (EEST)	(envelope-from ru@sunbay.com)
Received: (from ru@localhost)
	by whale.sunbay.crimea.ua (8.12.9/8.12.8/Submit) id h62NWfFd063364;
	Thu, 3 Jul 2003 02:32:41 +0300 (EEST)
	(envelope-from ru)
Date: Thu, 3 Jul 2003 02:32:41 +0300
From: Ruslan Ermilov <ru@freebsd.org>
To: Chuck Swiger <cswiger@mac.com>
Message-ID: <20030702233241.GD48919@sunbay.com>
References: <3F0316DE.3040301@tenebras.com>
	<20030702183838.GB4179@pit.databus.com> <3F0327FE.3030609@tenebras.com>
	<3F0331EE.6020707@mac.com> <3F0350C7.7010009@tenebras.com>
	<3F036571.8030609@mac.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="tmoQ0UElFV5VgXgH"
Content-Disposition: inline
In-Reply-To: <3F036571.8030609@mac.com>
User-Agent: Mutt/1.5.4i
cc: freebsd-ipfw@freebsd.org
cc: freebsd-net@freebsd.org
Subject: Re: Performance improvement for NAT in IPFIREWALL
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jul 2003 23:32:51 -0000


--tmoQ0UElFV5VgXgH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Jul 02, 2003 at 07:06:25PM -0400, Chuck Swiger wrote:
[...]
> By itself, NAT provides no benefit to security, and some implementations=
=20
> actually reduce the security of the system compared with not running NAT.=
 =20
>=20
Our natd(8) contributes to security somewhat, by providing the
-deny_incoming option.

Also, by using a dedicated IP address for a NAT, and blocking
(with a firewall) all incoming packets that do not match an
already established connections (originated locally, or mapped
with static redirection rules), you secure your NAT host.
(This is even without the -deny_incoming option to natd(8).)
Here's the relevant part of the functioning firewall ruleset:

# Route to the per-interface ruleset.
${fwcmd} add skipto 1000 ip from any to any via ${iif}
${fwcmd} add skipto 2000 ip from any to any via ${oif}
=2E..

# EXTERNAL INTERFACE RULESET

# Spoof protection.
${fwcmd} add 2000 deny ip from ${inet} to any in
=2E..

# NAT.
${fwcmd} add divert natd ip from ${inet} to any out
${fwcmd} add divert natd ip from any to ${nat} in
${fwcmd} add deny ip from any to ${nat} in


Cheers,
--=20
Ruslan Ermilov		Sysadmin and DBA,
ru@sunbay.com		Sunbay Software Ltd,
ru@FreeBSD.org		FreeBSD committer

--tmoQ0UElFV5VgXgH
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE/A2uZUkv4P6juNwoRAj2SAJ9aIe42xbaPocME6I4UxKDvtfAPTQCdGhi/
BiAC1vDJPZmpBY3/m7T7fMQ=
=PYBU
-----END PGP SIGNATURE-----

--tmoQ0UElFV5VgXgH--