At 15:22 27/02/01 +0100, florentin demetrescu wrote:
> hello,
>
> i'm a newbie and i still have little knowledge in network security, but
>i have a question about the basic firewall design:
> - i would like to know if it is better (more secure) in a firewall
>implementaion to do NAT before applying the packet filter rules or to do
>the contrary (PF before NAT) ? ..
Generally, NAT is "near" the interface on which it applies. So:
- at input stage, NAT is applied before filtering
- at output stage, NAT is applied after the filtering.
Let's concentrate on input filtering (My guess is this is the case that
you consider).
The reason why you NAT first is that only then can the filter know the
effective destination.
If you filter before, you might have a situation where all packets are going
to your FW's external address, since they haven't yet been mapped back
to the private IP address where they're to go.
That said, I would love it if one could have a simple filter before the NAT
module
to configure anti-spoofing rules, such as rejecting packets going to 10.*
and so.
While this is not a real problem (the stateful filter or the proxy will
reject it), it
is good to know that someone is playing silly games.
> Or maybe is it judicious not to make a
>distinction between the various types of rules and simply let the user
>specify the order in which he wants the rules to be applyed..
depends on your NAT.
If it's a "traditionnal" one, then the rule syntax is different from that
of the
filter. for example, you can't have a NAT rule of the form:
if src=10.* _____AND______ dst=2.* then map src to 1.2.3.*
in this case, you should separate the modules.
otherwise, choose whatever.
More clearly, filters generally have rule of the form:
if a set of selectors match some values, then reject|allow|domedo
the condition may be a matching on a combination of src/dst addresses and
ports,
IP protocol, TCP flags, and so.
This is generally not true for NAT. so mixing both rulesets makes the GUI
complex
for not much value...
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
