Date: Thu, 3 Jul 2003 02:32:41 +0300 From: Ruslan Ermilov <ru@freebsd.org> To: Chuck Swiger <cswiger@mac.com> Cc: freebsd-net@freebsd.org Subject: Re: Performance improvement for NAT in IPFIREWALL Message-ID: <20030702233241.GD48919@sunbay.com> In-Reply-To: <3F036571.8030609@mac.com> References: <3F0316DE.3040301@tenebras.com> <20030702183838.GB4179@pit.databus.com> <3F0327FE.3030609@tenebras.com> <3F0331EE.6020707@mac.com> <3F0350C7.7010009@tenebras.com> <3F036571.8030609@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--tmoQ0UElFV5VgXgH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Jul 02, 2003 at 07:06:25PM -0400, Chuck Swiger wrote:
[...]
> By itself, NAT provides no benefit to security, and some implementations=
=20
> actually reduce the security of the system compared with not running NAT.=
=20
>=20
Our natd(8) contributes to security somewhat, by providing the
-deny_incoming option.
Also, by using a dedicated IP address for a NAT, and blocking
(with a firewall) all incoming packets that do not match an
already established connections (originated locally, or mapped
with static redirection rules), you secure your NAT host.
(This is even without the -deny_incoming option to natd(8).)
Here's the relevant part of the functioning firewall ruleset:
# Route to the per-interface ruleset.
${fwcmd} add skipto 1000 ip from any to any via ${iif}
${fwcmd} add skipto 2000 ip from any to any via ${oif}
=2E..
# EXTERNAL INTERFACE RULESET
# Spoof protection.
${fwcmd} add 2000 deny ip from ${inet} to any in
=2E..
# NAT.
${fwcmd} add divert natd ip from ${inet} to any out
${fwcmd} add divert natd ip from any to ${nat} in
${fwcmd} add deny ip from any to ${nat} in
Cheers,
--=20
Ruslan Ermilov Sysadmin and DBA,
ru@sunbay.com Sunbay Software Ltd,
ru@FreeBSD.org FreeBSD committer
--tmoQ0UElFV5VgXgH
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE/A2uZUkv4P6juNwoRAj2SAJ9aIe42xbaPocME6I4UxKDvtfAPTQCdGhi/
BiAC1vDJPZmpBY3/m7T7fMQ=
=PYBU
-----END PGP SIGNATURE-----
--tmoQ0UElFV5VgXgH--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030702233241.GD48919>