From owner-freebsd-stable Thu Sep 27 11:43:10 2001 Delivered-To: freebsd-stable@freebsd.org Received: from pr0n.kutulu.org (pr0n.kutulu.org [151.196.107.157]) by hub.freebsd.org (Postfix) with ESMTP id E077437B40D for ; Thu, 27 Sep 2001 11:43:05 -0700 (PDT) Received: from kutulu.kutulu.org ([64.212.128.3]) by pr0n.kutulu.org (8.11.6/8.11.6) with ESMTP id f8RDlH782704; Thu, 27 Sep 2001 13:47:17 GMT (envelope-from kutulu@kutulu.org) Message-Id: <5.1.0.14.0.20010927140705.009ffc60@127.0.0.1> X-Sender: kutulu@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 27 Sep 2001 14:23:45 -0400 To: swear@blarg.net (Gary W. Swearingen) From: Kutulu Subject: Re: 127/8 continued Cc: Mike Porter , freebsd-stable@FreeBSD.ORG In-Reply-To: <4cd74ctsac.74c@localhost.localdomain> References: <200109271411.f8REBNH02164@c1828785-a.saltlk1.ut.home.com> <20010924094048.X5906-100000@coredump.scriptkiddie.org> <20010926134253.A65444@mushhaven.net> <200109271411.f8REBNH02164@c1828785-a.saltlk1.ut.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 11:14 AM 09/27/2001 -0700, Gary W. Swearingen wrote: >By definition, yes. But do you mean "public" (Internet-routable)? I'm >fairly sure I was communicating with my DSL router when I had only 10.x >address on the firewall. (Had to set 10.x.x.x as gateway the in the DSL >router's route to my firewall.) In order for the machines on your network to communicate with the outside world, they will either need public, routable IP addresses (all of them, not just your firewall), or you will need to run NAT somewhere. If your firewall has a private IP of 10.0.0.2, for example, even if it routes traffic correctly to the DSL router, once that packet hits the public internet there's no way to know how to get back to your 10.0.0.2. > > [ suggestion of 1-to-1 NAT ] > > Since no two machines will ever share the same IP under > > this scheme, it will work fine, while hiding your intenal network > structure > > from "the world". > >I read about that in my firewalling book, but I just don't get it, even >ignoring the problem with not translating IP addresses within the >packets. How does translating IP addresses help with security, as long >as the translation is transparent? The benefit is not really security here. The benefit is, you can have machines on the same logical subnet on different physical segments. Since the only place the real local IP's of those machines is known is the firewall, all data heading to both your DMZ server and your firewalled workstation will appear to the outside world to be on the same subnet. As your firewall receives the packets and translates them, they end up being on different internal segments (10.0.0.0 vs 10.0.1.0, for example), and get routed correctly. This is actually what NAT was originally designed for. It allowed people with a limited number of IP's (ie, one from their dial up provider) to handle traffic for multiple separate machines). The security aspects are really just a nice side effect. >As a reminder, my original post wasn't asking how I can set up my >network. I was bitching about what I consider a high-level design >deficiency in the OS (and all OSes, I suppose) software which makes it The deficiency here is really in IP itself. The IP protocol was built around the assumption that IP networks would be physically segmented in the same basic structure as they were logically segmented. Each separate IP subnet is assumed to be a separate physical network segment, and thus, all machines on that IP subnet should be directly reachable through the attached interface. And this is still the case the vast majority of the time. For those times when it is not the case, there are static routing kludges, and NAT, to take case of it. --K To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message