Re: Hiding NATs with PF

From: Simon Farnsworth (usenet_at_farnz.org.uk)
Date: 09/28/05 

Date: Wed, 28 Sep 2005 19:44:45 +0100

Max Bolingbroke wrote:

> None. The only restriction is against routers. The claim is that a NAT
> router causes upstream routing headaches. Is this true? I would have
> thought that since it acts just like a single host all the performance
> penalty is occured by the NAT device itself, as ti does the source port
> translation etc.
>
Assuming the person who sets the NAT router up is competent, it's not an
issue. However, it's not uncommon for internal routing infrastructure to be
running on RFC 1918 private IP addresses (the same batch you'll choose your
private addresses from). If you (by accident or through stupidity) start
letting your "private" addresses through, you could kill parts of their
campus routing by poisoning ARP tables.

>> I know of such networks where there is a strict ``no nat'' policy
>> because they don't want to deal with abuse hidden by that and the
>> resulting expected gefingerpointing. I can't blame them for their
>> motives.
>
> Interesting, they don't cite that as a reason. What abuse could be
> hidden by a NAT that could not be hidden by a single host with firewall
> enabled? Could you please tell me if the one they give (above) is
> actually valid? If so I will of course comply with their request.
>
You and I share one IP via NAT; said IP is registered to you. I break into a
bank's computer system. When the authorities come to get you, you point the
finger at me. I point the finger at you, and we have a standoff. By banning
NAT routers, your upstream can get you for unauthorised NAT even if they
can't get you for the break-in. 

-- 
Simon Farnsworth

Relevant Pages

  • Re: router help needed ....urgent
    ... now what i need is that all my traffic for internet ... >> routing or PBR on cisco, ... If both links are to the same ISP router then you can use BGP ... Why not just put the 2 internet feeds into a hub/switch and connect the router by 1 ethernet port and use IP routing and NAT to determine the best route to use. ...
    (comp.dcom.sys.cisco)
  • Re: Simple Routing using FC2/3
    ... >> This silly routing thing is driving me buzzonkers. ... >> first email concerning the gateway address of the LAN PC. ... > the 192.168.213.x addresses back to your router box. ... > NAT on the router box you are describing so all of the 192.168.213.x net ...
    (Fedora)
  • Re: newbie to home network dhcp worries
    ... this is not fine unless the routing has been arranged. ... > using DHCP on the WAN for IP and providing DHCP on the LAN side, ... > router will be fully able to reach the internet. ... you MUST run NAT on at least the Modem(the ...
    (microsoft.public.win2000.networking)
  • Re: NAT vs. True Firewalls
    ... NAT is a routing ... > certainly not a protocol, ... RIP router ever knowing it. ...
    (comp.security.firewalls)
  • Re: Static Translations Disappearing
    ... this router and see if they have the same behavior. ... you are running into a NAT bug. ... It wouldn't hurt to change IOS and ... ....where it just shows all translations being dynamic (0 static, ...
    (comp.dcom.sys.cisco)