Date: Tue, 01 Oct 2002 08:04:34 -0300 From: "Daniel C. Sobral" <dcs@tcoip.com.br> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: ipfw@FreeBSD.ORG Subject: Re: Static NAT Message-ID: <3D998142.8070005@tcoip.com.br> References: <3D9865DB.5040902@tcoip.com.br> <20021001055502.GC79303@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Crist J. Clark wrote:
> On Mon, Sep 30, 2002 at 11:55:23AM -0300, Daniel C. Sobral wrote:
>
>>I discovered a nasty problem with the way 1-1 NAT is performed with ipfw
>>atm (ie, divert throw natd). The problem is that, because a socket is
>>used for this nat, the firewall becomes vulnerable to DoS attacks
>>directed to such hosts.
>>
>>Since static 1-1 NAT is pretty straightforward, it could be done in the
>>kernel-side of ipfw itself, thus avoiding this problem.
>>
>>Anyone have thoughts on the subject?
>
>
> What DoS? Only one socket is ever used. Or some other DoS?
Yes, only one socket is used, and it uses mbuf clusters.
> If you don't want to do natd(8) and divert(4), you can do ipfw(8)
> 'fwd' on each machine.
No, fwd is not nat. I need nat.
--
Daniel C. Sobral (8-DCS)
Gerencia de Operacoes
Divisao de Comunicacao de Dados
Coordenacao de Seguranca
TCO
Fones: 55-61-313-7654/Cel: 55-61-9618-0904
E-mail: Daniel.Capo@tco.net.br
Daniel.Sobral@tcoip.com.br
dcs@tcoip.com.br
Outros:
dcs@newsguy.com
dcs@freebsd.org
capo@notorious.bsdconspiracy.net
Some marriages are made in heaven -- but so are thunder and lightning.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D998142.8070005>