Performance improvement for NAT in IPFIREWALL
Ruslan Ermilov
ru at freebsd.org
Wed Jul 2 16:32:51 PDT 2003
On Wed, Jul 02, 2003 at 07:06:25PM -0400, Chuck Swiger wrote:
[...]
> By itself, NAT provides no benefit to security, and some implementations
> actually reduce the security of the system compared with not running NAT.
>
Our natd(8) contributes to security somewhat, by providing the
-deny_incoming option.
Also, by using a dedicated IP address for a NAT, and blocking
(with a firewall) all incoming packets that do not match an
already established connections (originated locally, or mapped
with static redirection rules), you secure your NAT host.
(This is even without the -deny_incoming option to natd(8).)
Here's the relevant part of the functioning firewall ruleset:
# Route to the per-interface ruleset.
${fwcmd} add skipto 1000 ip from any to any via ${iif}
${fwcmd} add skipto 2000 ip from any to any via ${oif}
...
# EXTERNAL INTERFACE RULESET
# Spoof protection.
${fwcmd} add 2000 deny ip from ${inet} to any in
...
# NAT.
${fwcmd} add divert natd ip from ${inet} to any out
${fwcmd} add divert natd ip from any to ${nat} in
${fwcmd} add deny ip from any to ${nat} in
Cheers,
--
Ruslan Ermilov Sysadmin and DBA,
ru at sunbay.com Sunbay Software Ltd,
ru at FreeBSD.org FreeBSD committer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20030703/e86b41db/attachment.bin
More information about the freebsd-net
mailing list