From owner-freebsd-stable Fri Sep 28 12:12:24 2001 Delivered-To: freebsd-stable@freebsd.org Received: from lists.blarg.net (lists.blarg.net [206.124.128.17]) by hub.freebsd.org (Postfix) with ESMTP id C842F37B40C for ; Fri, 28 Sep 2001 12:12:10 -0700 (PDT) Received: from thig.blarg.net (thig.blarg.net [206.124.128.18]) by lists.blarg.net (Postfix) with ESMTP id 5B210BCFE; Fri, 28 Sep 2001 12:12:10 -0700 (PDT) Received: from localhost.localdomain ([206.124.139.115]) by thig.blarg.net (8.9.3/8.9.3) with ESMTP id MAA15222; Fri, 28 Sep 2001 12:12:09 -0700 Received: (from jojo@localhost) by localhost.localdomain (8.11.6/8.11.3) id f8SJGGV00516; Fri, 28 Sep 2001 12:16:17 -0700 (PDT) (envelope-from swear@blarg.net) To: Kutulu Cc: freebsd-stable@FreeBSD.ORG Subject: Re: 127/8 continued References: <200109271411.f8REBNH02164@c1828785-a.saltlk1.ut.home.com> <20010924094048.X5906-100000@coredump.scriptkiddie.org> <20010926134253.A65444@mushhaven.net> <200109271411.f8REBNH02164@c1828785-a.saltlk1.ut.home.com> <5.1.0.14.0.20010927140705.009ffc60@127.0.0.1> From: swear@blarg.net (Gary W. Swearingen) Date: 28 Sep 2001 12:16:16 -0700 In-Reply-To: <5.1.0.14.0.20010927140705.009ffc60@127.0.0.1> Message-ID: Lines: 46 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Kutulu writes: > In order for the machines on your network to communicate with the > outside world, they will either need public, routable IP addresses (all > of them, not just your firewall), or you will need to run NAT somewhere. > If your firewall has a private IP of 10.0.0.2, for example, even if it > routes traffic correctly to the DSL router, once that packet hits the > public internet there's no way to know how to get back to your 10.0.0.2. Nobody should be TRYING to get back to 10.0.0.2; the packet src & dst are all Internet addresses and the DSL and firewall routers should be able to communicate privately. The other end of my DSL connection looks like a router with a public address that some other router uses as a gateway for packets to my workstation or server. As far as the world should know or care, the DSL router and my firewall router are a single router. No? > > How does translating IP addresses help with security, as long > >as the translation is transparent? > > The benefit is not really security here. The benefit is, you can have > machines on the same logical subnet on different physical segments. That's what I was thinking (on both counts), except I wonder why that is "not really" instead of "not". > This is actually what NAT was originally designed for. It allowed > people with a limited number of IP's (ie, one from their dial up > provider) to handle traffic for multiple separate machines). The > security aspects are really just a nice side effect. Again, what security aspects? > The deficiency here is really in IP itself. The IP protocol was built > around the assumption that IP networks would be physically segmented in > the same basic structure as they were logically segmented. Each > separate IP subnet is assumed to be a separate physical network segment, > and thus, all machines on that IP subnet should be directly reachable > through the attached interface. And this is still the case the vast > majority of the time. For those times when it is not the case, there > are static routing kludges, and NAT, to take case of it. Assumptions that were reasonable when made, but are giving lots of people grief now. The work-arounds are awkward, partially broken, complicated, or otherwise costly of SA time, IP address, etc. Room for someone to innovate, but maybe it's better they work on IPv6. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message