TransACT Cable Router

Dale Shaw DShaw at exceed.com.au
Wed Apr 2 10:05:40 EST 2003 

Bob,

Yeah -- brain wasn't fully engaged when I was thinking about how the
device might handle packets targeted for its visible address when PAT
(or more accurately "Network Address Port Translation (NAPT)") is used
as distinct from basic NAT (one-to-one or many-to-many). RFC1631 is all
over the shop, but it doesn't talk about translating TCP and UDP port
numbers. RFC2663 seems to exist because of confusion around NAT-related
terminology (I'd never heard of "IP Masquerading" until I used Linux and
ipfwadm in about 1993; I wish the term would go away).

I was talking about out of band connection attempts to the xDSL
interface's IP address -- obviously in a NAPT scenario it can't possibly
know which (of possibly many) "inside" hosts to un-translate and forward
to, so it _must_ drop the packet(s) on the floor. In a basic/traditional
NAT scenario, you have to wonder how the router would handle incoming
packets, since it DOES have a 1:1 IP translation and theoretically knows
exactly where to forward them on the inside. This is probably covered by
section 4.2 of RFC2663 ("Bi-directional NAT"), but since the various
vendors usually just say "yeah, we do NAT", it probably doesn't help
John with his quest.

NAT sucks :-) Three cheers for application proxies!

Cheers,
Dale
 
-----Original Message-----
From: Robert Edwards [mailto:Robert.Edwards at anu.edu.au] 
Sent: Wednesday, 2 April 2003 9:20 AM
To: Dale Shaw; John Griffiths
Cc: linux at lists.samba.org

On Tue, 1 Apr 2003 11:27 am, Dale Shaw wrote:
> I don't know about the Netgear RT314 but the Linksys model doesn't
> appear to include fully fledged firewalling capabilities. It says it
> provides firewalling via NAT, but NAT in itself only provides security
> by obscurity. It's not clear whether or not it would protect in any
way
> an 'inside' host with an active translation from attacks on the
> Internet.
>
[...]

I'm not sure how the Netgear RT314 implements NAT (and I'm not sure what
you 
mean by PAT etc.) but in normal NAT/IP-Masquerading, the router performs
the 
reverse translation (for incoming packets) based on the entire 4-tuple
of the 
connection (if it is TCP etc.) or similar for UDP. That is, it will take
into 
the account the IP address of the external (publicly accessible) host in

performing the reverse translation.

This mean that your inside machine is only susceptible on the one port
that is 
open (or more than one, if you have multiple connections running) from
the 
one external IP address you connected to.

I agree that there are lots of firewall functionality that this doesn't 
include, but NAT itself will stop all manner of port-scanning style
attacks.

Cheers,

Bob Edwards.

More information about the linux mailing list