On Tuesday, January 04, 2011 12:52:42 pm Marko Vojinovic wrote: > You have the exact same situation if you use IPv4 and NAT. The outside system > has the IPv4 of your router, and can use that IP to scan for any open port on > your inside machine. Namely, once your NAT-ed machine initiates the connection > to the outside machine, NAT will happily accept any incoming connection from > that outside machine, typically on all ports, translate to your local IP and > forward back inside (at least in the default configuration). That's how NAT > works, it translates the addresses from non-routable to routable and back, > trying to keep the communication as open as possible, both ways. Didn't you > know this? This is incorrect for many implementations of NAT. I refer in particular to Cisco IOS NAT, IOS 12.4(23) mainline on a 7206/NPE-G1, using NAT pools and overloading. Incoming packets addressed to the outside interface that don't match the flows that the router knows about get dropped. So if I connect to your website from inside my network, you can't randomly initiate a connection back to my box (that's what the overloading, allowing multiple internal IP's onto a single 'inside global' (using Cisco terms) IP, prevents). The only conduit through the NAT is using the specific source-address:source-port/destination-address:destination-port pair that the translation sets up. If I have, say, 100 computers inside my network, and have 32 global addresses, and overload the dynamic translations onto three global addresses, you have no way of getting to the inside addresses except through the translations set up during the outgoing flow initiation. You have to jump through hoops to get things like H.323 to work (Cisco at least has support for connection tracking so the packets, mostly UDP, can get back to where they need to go). No ACL's necessary to create this behavior, at least with Cisco IOS NAT. The same (or similar) is true for Smoothwall, at least, naming one firewall appliance/distribution that I use and that uses the Linux kernel. Tested that one; you have to configure zone bridging and port forwarding to get the behavior you mention. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
