Re: [fw-wiz] NAPT - NAT Port selection
From: Harald Welte (laforge_at_netfilter.org)
Date: 08/24/04
- Previous message: John Galt: "[fw-wiz] Decrypted VPN traffic and access lists on outside interface of PIX"
- In reply to: ravivsn_at_www.rocsys.com: "[fw-wiz] NAPT - NAT Port selection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: ravivsn@www.rocsys.com Date: Tue, 24 Aug 2004 11:54:19 +0200
On Fri, Aug 20, 2004 at 09:05:37AM +0530, ravivsn@www.rocsys.com wrote:
> Internally, among developers, we discussed this issue and we came out with
> one suggestion - Reusage of NAT port in multiple sessions, as long as
> atleast one of 5 tuples is different - Since source IP is same (public IP
> address), destination IP or destination port has to be different.
yes, this is what every linux 2.4.x and linux 2.6.x based system does
(linux-2.4 and 2.6 use netfilter/iptables (http://www.netfilter.org/))
> I solicit your feedback on this.
> - Is it good for NAPT device to use same NAT port for different
> sessions, if they are going to different destination (based on
> Destination IP and Port)? Do you see any problems associated with
> this apart one mentioned above?
It is questionable whether it is 'good'. I (as one of the netfilter
authors) think it is good as in
- tries to preserve port numbers as much as possible and not
make applications relying on portnumber persistency break
- minimun use of ressources (i.e. more than 64k sessions).
However, there is a group working on a NAT Behaviour draft within the
IETF that discourages this (they call it 'port overloading'), since it
creates less deterministic behaviour.
> - Any experiences?
no problems whatsoever. Please keep in mind the number of linux
installations, especially in embedded devices sold as WLAN and DSL
'Routers'.
> Thanks in advance
> Ravi
-- - Harald Welte <laforge@netfilter.org> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- application/pgp-signature attachment: Digital signature
- Previous message: John Galt: "[fw-wiz] Decrypted VPN traffic and access lists on outside interface of PIX"
- In reply to: ravivsn_at_www.rocsys.com: "[fw-wiz] NAPT - NAT Port selection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
