From owner-freebsd-security Thu Aug 9 18:15:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns2.austclear.com.au (ns2.austclear.com.au [192.43.185.70]) by hub.freebsd.org (Postfix) with ESMTP id 2D5C237B406 for ; Thu, 9 Aug 2001 18:15:07 -0700 (PDT) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.166.65]) by ns2.austclear.com.au (8.11.2/8.11.3) with ESMTP id f7A1F5420696 for ; Fri, 10 Aug 2001 11:15:06 +1000 (EST) (envelope-from ahl@austclear.com.au) Received: from tungsten (tungsten [192.168.166.65]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id LAA20997; Fri, 10 Aug 2001 11:15:05 +1000 (EST) Message-Id: <200108100115.LAA20997@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: freebsd-security@freebsd.org Subject: distributed natd Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 10 Aug 2001 11:15:04 +1000 From: Tony Landells Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all! I've been thinking about ways to improve the robustness of my firewall and I came up with the following idea, so I thought I'd run it past some other people for feedback. The idea is to run two (or more) firewalls in parallel in such a way that if one failed the other one would pick up the slack without users noticing. With our current firewall, we generally proxy connections, but for some things (mostly SSH) we just let it through ipfw, using natd to translate a "virtual" external address to the internal address of the target host. It occurred to me that if you could make a "distributed" natd, then you could actually get everyone to use virtual addresses for everything, and use dynamic routing to control which firewall handles the traffic. As far as I can see, the requirements for doing this are: a way to restrict the port numbers that natd will use so that each firewall will have a unique range a way for the natd processes on each firewall to tell each other when they set up or delete a translation a way for a starting natd process to obtain a state table from the natd processes on the other firewall(s) a way to tell each natd process what its "peers" are Obviously, this wouldn't work terribly well with stateful packet filtering... I haven't even begun to look at the code for natd, but can anyone see any fatal flaws in the concept? Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message