Date: Mon, 30 Sep 2002 22:55:02 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: "Daniel C. Sobral" <dcs@tcoip.com.br> Cc: ipfw@FreeBSD.ORG Subject: Re: Static NAT Message-ID: <20021001055502.GC79303@blossom.cjclark.org> In-Reply-To: <3D9865DB.5040902@tcoip.com.br> References: <3D9865DB.5040902@tcoip.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 30, 2002 at 11:55:23AM -0300, Daniel C. Sobral wrote:
> I discovered a nasty problem with the way 1-1 NAT is performed with ipfw
> atm (ie, divert throw natd). The problem is that, because a socket is
> used for this nat, the firewall becomes vulnerable to DoS attacks
> directed to such hosts.
>
> Since static 1-1 NAT is pretty straightforward, it could be done in the
> kernel-side of ipfw itself, thus avoiding this problem.
>
> Anyone have thoughts on the subject?
What DoS? Only one socket is ever used. Or some other DoS?
If you don't want to do natd(8) and divert(4), you can do ipfw(8)
'fwd' on each machine.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021001055502.GC79303>