Date: Tue, 01 Oct 2002 15:51:42 -0300 From: "Daniel C. Sobral" <dcs@tcoip.com.br> To: cjclark@alum.mit.edu Cc: ipfw@FreeBSD.ORG Subject: Re: Static NAT Message-ID: <3D99EEBE.2010403@tcoip.com.br> References: <3D9865DB.5040902@tcoip.com.br> <20021001055502.GC79303@blossom.cjclark.org> <3D998142.8070005@tcoip.com.br> <20021001174546.GB81932@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Crist J. Clark wrote:
>
> [diet quote]
>
> Sure, but even if you do everything in the kernel, you're still using
> some mbufs. Could you be more specific about how one would DoS a
> machine running with natd(8) and divert(4) that would not affect a
> machine doing some type of NAT in the kernel? Just saying, "it uses
> mbuf clusters," isn't enough for me to understand what type of
> resource exhaustion you are talking about and how it can be
> exploited. Please draw me a picture. I'm a bit slow today.
All I know is that the machine, running simply as a firewall/router,
does not suffer from mbuf cluster exaustion. Does not come even close to
it. Does not even notice a DoS in progress. As soon as there is a
network connection _to_ the firewall, in this case the natd divert
socket, this memory starts to get used and, during a DoS, exausted.
How's and Why's are really beyond me. It's just a matter of what I see
happening.
> Also, remember that when you push NAT into the kernel, you now need to
> find some place in kernel memory to jam the NAT state table. It opens
> up lots of new problems too. NAT in kernel or userland has lots of
> pros and cons each way.
Now go back to the subject and read it again. Static nat does not have a
state table. It need not keep state because it is, well, static.
It isn't much different, really, from fwd. fwd changes the next hop,
static nat changes one ip address and possibly the next hop.
>>>If you don't want to do natd(8) and divert(4), you can do ipfw(8)
>>>'fwd' on each machine.
>>
>>No, fwd is not nat. I need nat.
>
> Nope, 'fwd' is not NAT, but you can get arbitrary packets from the
> network in front of machine A to a socket on machine B with two
> 'fwd's. Depending on your needs, that may or may not be
> sufficient. (One big trip-up is if machine B is not FreeBSD for
> example.)
I need fake ip servers being visible from outside. I need to change
destination addresses which are routed to through OSPF, _after_ the
firewall. Neither of these are possible with fwd.
--
Daniel C. Sobral (8-DCS)
Gerencia de Operacoes
Divisao de Comunicacao de Dados
Coordenacao de Seguranca
TCO
Fones: 55-61-313-7654/Cel: 55-61-9618-0904
E-mail: Daniel.Capo@tco.net.br
Daniel.Sobral@tcoip.com.br
dcs@tcoip.com.br
Outros:
dcs@newsguy.com
dcs@freebsd.org
capo@notorious.bsdconspiracy.net
The goal of Computer Science is to build something
that will at least last until we've finished building it.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D99EEBE.2010403>