Date: Tue, 1 Oct 2002 10:45:46 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: "Daniel C. Sobral" <dcs@tcoip.com.br> Cc: ipfw@FreeBSD.ORG Subject: Re: Static NAT Message-ID: <20021001174546.GB81932@blossom.cjclark.org> In-Reply-To: <3D998142.8070005@tcoip.com.br> References: <3D9865DB.5040902@tcoip.com.br> <20021001055502.GC79303@blossom.cjclark.org> <3D998142.8070005@tcoip.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Oct 01, 2002 at 08:04:34AM -0300, Daniel C. Sobral wrote:
> Crist J. Clark wrote:
> >On Mon, Sep 30, 2002 at 11:55:23AM -0300, Daniel C. Sobral wrote:
> >
> >>I discovered a nasty problem with the way 1-1 NAT is performed with ipfw
> >>atm (ie, divert throw natd). The problem is that, because a socket is
> >>used for this nat, the firewall becomes vulnerable to DoS attacks
> >>directed to such hosts.
> >>
> >>Since static 1-1 NAT is pretty straightforward, it could be done in the
> >>kernel-side of ipfw itself, thus avoiding this problem.
> >>
> >>Anyone have thoughts on the subject?
> >
> >
> >What DoS? Only one socket is ever used. Or some other DoS?
>
> Yes, only one socket is used, and it uses mbuf clusters.
Sure, but even if you do everything in the kernel, you're still using
some mbufs. Could you be more specific about how one would DoS a
machine running with natd(8) and divert(4) that would not affect a
machine doing some type of NAT in the kernel? Just saying, "it uses
mbuf clusters," isn't enough for me to understand what type of
resource exhaustion you are talking about and how it can be
exploited. Please draw me a picture. I'm a bit slow today.
Also, remember that when you push NAT into the kernel, you now need to
find some place in kernel memory to jam the NAT state table. It opens
up lots of new problems too. NAT in kernel or userland has lots of
pros and cons each way.
> >If you don't want to do natd(8) and divert(4), you can do ipfw(8)
> >'fwd' on each machine.
>
> No, fwd is not nat. I need nat.
Nope, 'fwd' is not NAT, but you can get arbitrary packets from the
network in front of machine A to a socket on machine B with two
'fwd's. Depending on your needs, that may or may not be
sufficient. (One big trip-up is if machine B is not FreeBSD for
example.)
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021001174546.GB81932>