From: Patrick McHardy <kaber@trash.net>
To: "Rémi Denis-Courmont" <rdenis@simphalempin.com>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: [Patch 0/2] Avoid direct connections between NATed hosts
Date: Wed, 17 Jan 2007 13:13:26 +0100 [thread overview]
Message-ID: <45AE12E6.2080308@trash.net> (raw)
In-Reply-To: <200701121939.42232@auguste.remlab.net>
Rémi Denis-Courmont wrote:
> Le vendredi 12 janvier 2007 19:20, Patrick McHardy a écrit :
>
>>Port randomization would still be a useful feature, not to wilfully
>>break skype, but to make spoofing attacks harder. Currently we
>>undo randomization done by the operating system/application. Since
>>its optional I don't see real harm in it.
>
>
> Right, randomizing port numbers when they are allocated can make it
> slightly more difficult to spoof DNS. Does the "regular" socket code
> picks port at random or not though? And is the port allocation logic
> shared between socket and NAT code (IMHO it should either be shared or
> at least be equivalent)? It makes little sense to secure host behind
> the NAT and not secure yourself; that also imples there should be no
> need for an iptables option to enable/disable it.
Its not shared, local port allocation is quite different from NAT.
> My concern is with when (and how) Netfilter NAT code allocates a new
> port number. If the source private-IP/port are identical, the external
> NATed-IP/port ought be identical too, and certainly not another
> randomized value.
>
> With that, you have the advantage of random source port numbers (better
> spoof protection), while not breaking any NAT-aware P2P app.
Thats impossible to guarantee, since we're mapping many address to
one we might get clashes.
next prev parent reply other threads:[~2007-01-17 12:13 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-12 16:59 [Patch 0/2] Avoid direct connections between NATed hosts Eric Leblond
2007-01-12 17:02 ` [Patch 1/2] " Eric Leblond
2007-01-12 17:04 ` [Patch 2/2] iptables: add random option to SNAT Eric Leblond
2007-01-12 17:11 ` [Patch 0/2] Avoid direct connections between NATed hosts Rémi Denis-Courmont
2007-01-12 17:20 ` Patrick McHardy
2007-01-12 17:39 ` Rémi Denis-Courmont
2007-01-17 12:13 ` Patrick McHardy [this message]
2007-01-12 22:53 ` Jan Engelhardt
2007-01-13 12:06 ` Resend [Patch 2/2] iptables: add random option to SNAT Eric Leblond
2007-01-13 21:00 ` Resend [Patch 1/2] Avoid direct connections between NATed hosts Eric Leblond
2007-01-17 12:23 ` Patrick McHardy
2007-01-17 15:18 ` Eric Leblond
2007-01-19 15:36 ` Patrick McHardy
2007-01-26 14:00 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45AE12E6.2080308@trash.net \
--to=kaber@trash.net \
--cc=netfilter-devel@lists.netfilter.org \
--cc=rdenis@simphalempin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).