From owner-freebsd-ipfw Mon Sep 30 7:55:31 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFEB437B401 for ; Mon, 30 Sep 2002 07:55:29 -0700 (PDT) Received: from mail.tcoip.com.br (erato.tco.net.br [200.220.254.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 59A3543E65 for ; Mon, 30 Sep 2002 07:55:27 -0700 (PDT) (envelope-from dcs@tcoip.com.br) Received: from tcoip.com.br ([10.0.2.6]) by mail.tcoip.com.br (8.11.6/8.11.6) with ESMTP id g8UEtNx32022 for ; Mon, 30 Sep 2002 11:55:23 -0300 Message-ID: <3D9865DB.5040902@tcoip.com.br> Date: Mon, 30 Sep 2002 11:55:23 -0300 From: "Daniel C. Sobral" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20020905 X-Accept-Language: en-us, en MIME-Version: 1.0 To: ipfw@freebsd.org Subject: Static NAT Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I discovered a nasty problem with the way 1-1 NAT is performed with ipfw atm (ie, divert throw natd). The problem is that, because a socket is used for this nat, the firewall becomes vulnerable to DoS attacks directed to such hosts. Since static 1-1 NAT is pretty straightforward, it could be done in the kernel-side of ipfw itself, thus avoiding this problem. Anyone have thoughts on the subject? -- Daniel C. Sobral (8-DCS) Gerencia de Operacoes Divisao de Comunicacao de Dados Coordenacao de Seguranca TCO Fones: 55-61-313-7654/Cel: 55-61-9618-0904 E-mail: Daniel.Capo@tco.net.br Daniel.Sobral@tcoip.com.br dcs@tcoip.com.br Outros: dcs@newsguy.com dcs@freebsd.org capo@notorious.bsdconspiracy.net The surest sign that a man is in love is when he divorces his wife. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message