Re: NAT and Keep State IP Rule

From: Duane Arnold (notme_at_notme.com)
Date: 01/24/04

  • Next message: kurt wismer: "Re: Threat of running a web server?" 
    Date: Sat, 24 Jan 2004 22:49:54 GMT

    Geoff Lane <gl1public@btinternet.com> wrote in
    news:fbh5105afeao2jb2tk7jpvkodlhi3dfijt@4ax.com:

    > On Sat, 24 Jan 2004 03:22:38 GMT, Duane Arnold <notme@notme.com>
    > wrote:
    >
    >
    >>> NAT appears to allow any incoming traffic that is related to an
    >>> outgoing request, that I understand.
    >>
    >>That would be true if Keep State is enabled.
    >
    > Which is the bit that is puzzling me.
    >
    > My router is a NAT router, I can also set a number of IP rules and
    > each IP rule can have 'Keep State' enabled or disabled.
    >
    > Unless this is an option for LAN routed traffic only,

    You need to understand what NAT and Stateful Packet Inspection does,
    because the *Keep State has nothing to do with LAN traffic since LAN
    traffic never becomes WAN traffic leaving the network out to the Internet
    where with Keep State enabled, ensures that for every inbound packet from
    the Internet to the router being NAT mapped to a port/IP/machine there
    was a corresponding outbound packet sent by a machine behind the router
    to the Internet, otherwise, the packet is dropped by SPI or KS.

    NAT by itself on the router does have a Statful part, but that doesn't
    ensure that the inbound packets are legit. The SPI or *Keep State on an
    ADSL router* ensures this.

    > I don't know but
    > otherwise, if NAT does the 'keep state' itself I wonder what the IP
    > rule ' keep state' option is for.

    http://forum.draytek.com.au/index.php?showtopic=140

    Google is your friend and I suggest that you use it to gain the knowledge
    that you need. There is nothing wrong with using NG(s) as they are
    certainly helpful and needed. But on the other hand, Google will answer a
    lot of your questions upfront before posting to a NG.

    Duane :)

  • Next message: kurt wismer: "Re: Threat of running a web server?"

    Relevant Pages

    • Re: moved a working network, now it doesnt work
      ... router I can ping the internet with no problem. ... From one of your Linux machines can you ping the FA 0/1 interface (default ... are NOT natting so if CAN ping from the router, ...
      (comp.dcom.sys.cisco)
    • Re: moved a working network, now it doesnt work
      ... router I can ping the internet with no problem. ... From one of your Linux machines can you ping the FA 0/1 interface (default ... are NOT natting so if CAN ping from the router, ...
      (comp.dcom.sys.cisco)
    • Re: Routing with iproute2
      ... via an ADSL modem/router that is acting like a router. ... Doesn't your router do NAT? ... internet routable subnet, they can't. ...
      (uk.comp.os.linux)
    • Re: router help needed ....urgent
      ... now what i need is that all my traffic for internet ... >> routing or PBR on cisco, ... If both links are to the same ISP router then you can use BGP ... Why not just put the 2 internet feeds into a hub/switch and connect the router by 1 ethernet port and use IP routing and NAT to determine the best route to use. ...
      (comp.dcom.sys.cisco)
    • Re: Cable Vs. DSL
      ... Well, its likely that he is using a Linksys or D-link NAT enabled router, ... >>is what the clients are seen to have from the internet. ... >security measure, it's merely a way to broaden the available address ...
      (Security-Basics)
    • Quantcast