[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: symmetric NAT with IPFilter
From:       Darren Reed <darrenr () reed ! wattle ! id ! au>
Date:       2004-01-16 13:04:19
Message-ID: 200401161304.AAA02823 () avalon ! reed ! wattle ! id ! au
[Download RAW message or body]

In some email I received from Alicia da Conceicao, sie wrote:
> Greetings:
> 
> Does IPFilter have the ability to provide a "Symmetric NAT"?  If so, in
> what version of IPFilter was the ability for "Symmetric NAT" introduced,
> and what do I need to do to enable it?
> 
> I just ran a STUN client during SIP testing, and it reported that several
> of my firewalls (running IPFilter from versions 3.4.9 to 3.4.29) were all
> determined to be "Port Restricted Cone NAT", even though I am running
> stateful NAT firewalls (using "keep state").
> 
> A full "Symmetric NAT" firewall is considered more secure than a "Port
> Restricted Cone NAT", since each connection to different IP addresses are
> mapped to their own IP:port pair, so I was surprised to discover that my
> current IPFilter firewalls didn't do this.

IPFilter can only do that IFF you have multiple IP addresses to map
to but even then, its default method is to work through available
port numbers and IP addresses systematically.

However, the advice in that document is false and misleading.  There
are a lot of web sites where you need to have the same IP# in all
connections to it so that session tracking behaves correctly.
Whereas with some other firewall packages you might need to configure
this behaviour and any security benefit is negligable.

Darren
[prev in list] [next in list] [prev in thread] [next in thread]