Re: [fw-wiz] NAPT - NAT Port selection
From: Harald Welte (laforge_at_netfilter.org)
To: email@example.com Date: Tue, 24 Aug 2004 11:54:19 +0200
On Fri, Aug 20, 2004 at 09:05:37AM +0530, firstname.lastname@example.org wrote:
> Internally, among developers, we discussed this issue and we came out with
> one suggestion - Reusage of NAT port in multiple sessions, as long as
> atleast one of 5 tuples is different - Since source IP is same (public IP
> address), destination IP or destination port has to be different.
yes, this is what every linux 2.4.x and linux 2.6.x based system does
(linux-2.4 and 2.6 use netfilter/iptables (http://www.netfilter.org/))
> I solicit your feedback on this.
> - Is it good for NAPT device to use same NAT port for different
> sessions, if they are going to different destination (based on
> Destination IP and Port)? Do you see any problems associated with
> this apart one mentioned above?
It is questionable whether it is 'good'. I (as one of the netfilter
authors) think it is good as in
- tries to preserve port numbers as much as possible and not
make applications relying on portnumber persistency break
- minimun use of ressources (i.e. more than 64k sessions).
However, there is a group working on a NAT Behaviour draft within the
IETF that discourages this (they call it 'port overloading'), since it
creates less deterministic behaviour.
> - Any experiences?
no problems whatsoever. Please keep in mind the number of linux
installations, especially in embedded devices sold as WLAN and DSL
> Thanks in advance
-- - Harald Welte <email@example.com> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
firewall-wizards mailing list
- application/pgp-signature attachment: Digital signature