Re: [fw-wiz] NAPT - NAT Port selection

From: Harald Welte (laforge_at_netfilter.org)
Date: 08/24/04

  • Next message: hermit921: "[fw-wiz] VPN endpoints"
    To: ravivsn@www.rocsys.com
    Date: Tue, 24 Aug 2004 11:54:19 +0200
    
    
    

    On Fri, Aug 20, 2004 at 09:05:37AM +0530, ravivsn@www.rocsys.com wrote:

    > Internally, among developers, we discussed this issue and we came out with
    > one suggestion - Reusage of NAT port in multiple sessions, as long as
    > atleast one of 5 tuples is different - Since source IP is same (public IP
    > address), destination IP or destination port has to be different.

    yes, this is what every linux 2.4.x and linux 2.6.x based system does
    (linux-2.4 and 2.6 use netfilter/iptables (http://www.netfilter.org/))

    > I solicit your feedback on this.
    > - Is it good for NAPT device to use same NAT port for different
    > sessions, if they are going to different destination (based on
    > Destination IP and Port)? Do you see any problems associated with
    > this apart one mentioned above?

    It is questionable whether it is 'good'. I (as one of the netfilter
    authors) think it is good as in
            - tries to preserve port numbers as much as possible and not
              make applications relying on portnumber persistency break
            - minimun use of ressources (i.e. more than 64k sessions).

    However, there is a group working on a NAT Behaviour draft within the
    IETF that discourages this (they call it 'port overloading'), since it
    creates less deterministic behaviour.

    > - Any experiences?

    no problems whatsoever. Please keep in mind the number of linux
    installations, especially in embedded devices sold as WLAN and DSL
    'Routers'.

    > Thanks in advance
    > Ravi

    -- 
    - Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
    ============================================================================
      "Fragmentation is like classful addressing -- an interesting early
       architectural error that shows how much experimentation was going
       on while IP was being designed."                    -- Paul Vixie
    
    

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



  • Next message: hermit921: "[fw-wiz] VPN endpoints"

    Relevant Pages

    • Re: Problem sending E-mail to 1 server
      ... If I try the same thing (telnet to port ... Source IP: 64.208.166.12, Destination IP: 66.133.129.70 ... PROTOCOL: ICMP ... Header checksum: 0xEE82 ...
      (microsoft.public.exchange.admin)
    • Re: Why Is Google Connecting to My Mac?
      ... destination: ssl-google-analytics.l.google.com ... wants to connect to ssl-google-analytics.l.google.com on TCP port ...
      (comp.sys.mac.misc)
    • LAG - Which algorithm?
      ... I am new at using LAG and would like your opinion on which algorithm ... Destination IP Address ... the port is selected based on a hash of the ... destination IP address uses the same port in the link aggregation ...
      (Tru64-UNIX-Managers)
    • Re: ipv6 connection hash function wanted ...
      ... the hash function for dynamic rules must be commutative ... You should xor source and destination as a whole, ... If the attacker can ... guess our port number, he can set his port number in a ...
      (freebsd-hackers)
    • Re: load of connections to ephemeral ports from TCP source port 3389(probably virus)
      ... And checked the result.txt for what file/service has been accessing the network from or to port TCP 3389 ... Source and destination are relative to which packets you're looking at. ... Check on your internet router whether this 192.168.2.196 being NATed ... Desktop Protocol) traffics from internet to this PC (which most likely ...
      (Security-Basics)