From: Florin Andrei <florin@andrei.myip.org>
To: netfilter@lists.netfilter.org
Subject: Re: NAT on stateless firewall ?
Date: Fri, 03 Aug 2007 11:23:22 -0700 [thread overview]
Message-ID: <46B3729A.8030605@andrei.myip.org> (raw)
In-Reply-To: <46B2FB97.3090605@plouf.fr.eu.org>
Pascal Hambourg wrote:
> Florin Andrei a écrit :
>> Since HTTP is the only thing traversing the firewall,
>
> Really ? No ICMP error messages, no outgoing DNS queries ?
Right, some ICMP stuff required by TCP, which can also be handled stateless.
DNS is separate. The traffic on the "master blaster" is kept very simple.
>> I stumbled upon "-t raw" and I'm testing it, looks like it does what I
>> need.
>
> If you mean using the NOTRACK target, this is a bad idea. Packets in the
> UNTRACKED state will be ignored by the connection tracking *and* thus by
> the stateful NAT which depends on it.
You're right. :-(
I assume I can still pretend that conntrack does not exist, and just
write the rules as if it was a stateless firewall. It will waste CPU
cycles and memory, but that's fine. I can even tweak the netfilter
parameters so that the connection tracking expires much faster, to keep
the size down.
A stateless firewall will fail over much more quickly and more reliably
than any stateful firewall.
I would use conntrackd, I just don't know how well tested it is in
high-bandwidth high-reliability setups. I may revise that decision, but
right now I'm focusing on stateless.
Security with stateless should not be a problem in such a simple
configuration (only one open port, well-behaved protocol, all traffic
initiated from outside).
Grant Taylor wrote:
>
> Dare I ask why you are wanting to use Proxy ARP?
Well, it's required by DNAT, isn't it? It looks like even SNAT to an
address different than the main IP on the firewall interface requires it
for the return traffic.
I'm snooping the traffic, I see the ARP request for the DNAT'ed address,
but there's no reply. So the firewall must be told to answer that request.
I'm not yet sure why this is so complicated. I remember doing proxy ARP
on Slackware 10 years ago (that was, like, kernel 2.0 or something like
that) and it was a very straightforward job.
<sigh> back to doing tests.
--
Florin Andrei
http://florin.myip.org/
next prev parent reply other threads:[~2007-08-03 18:23 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-02 23:08 NAT on stateless firewall ? Florin Andrei
2007-08-03 1:49 ` Gregory Carter
2007-08-03 3:30 ` Florin Andrei
2007-08-03 4:10 ` Grant Taylor
2007-08-03 9:55 ` Pascal Hambourg
2007-08-03 18:23 ` Florin Andrei [this message]
2007-08-03 19:11 ` Florin Andrei
2007-08-03 19:15 ` Martijn Lievaart
2007-08-03 19:56 ` Florin Andrei
2007-08-03 20:37 ` Martijn Lievaart
2007-08-03 20:51 ` Grant Taylor
2007-08-05 20:16 ` Martijn Lievaart
2007-08-06 1:04 ` Grant Taylor
2007-08-06 5:01 ` Martijn Lievaart
2007-08-06 14:11 ` Grant Taylor
2007-08-03 19:23 ` Grant Taylor
2007-08-03 19:53 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46B3729A.8030605@andrei.myip.org \
--to=florin@andrei.myip.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.