Hi,
I'm running two different Linux IP Masq servers at two locations. I also
administrate a Solaris Checkpoint Firewall-1 Server doing NAT on a 500-user
internal network. Recently, the Firewall-1 server was brought down by a
Trojan which was initiating connections to different IPs on the internet as
fast as it could. Apparently, the Firewall-1 software was translating each
packet and filling up its Kernel NAT table until eventually it crashed.
I would like to recommend that they install a Linux IP Masq server to
replace the Firewall-1 software. However, there are two things it must be
able to do:
1) The firewall should not be vulnerable to this type of flooding attack.
Is there some sort of 'masq quota' implementation where each IP Address is
limited to a fixed number of concurrent connections (i.e. 1000)? This would
stop the server from crashing or allowing that single computer to affect the
other users.
2) Is it possible to do NAT with more than one IP Address? A number of the
servers are behind the Firewall and currently are assigned static IP
Addresses on a different subnet. The firewall translates the incoming IP
and forwards the packet to the internal computer.
I read an article describing half of #2 - it explained how to use iproute2
to masquerade different internal subnets to different external IP
Addresses(I think the addresses were aliased on the firewall's external
interface). I can use this to route individual computers or entire subnets
through a particular IP Address. Perhaps if I used 'ipmasqadm -L <addr>
80 -R <internaladdr> 80' this would forward packets coming into the aliased
external interface <addr> to the correct internal computer - but would it
distinguish between the aliased addresses? Guess I'll have to look at the
source...
Any help would be appreciated!
Thanks in advance,
-Louis Parrot
[EMAIL PROTECTED] (remove the -NOSPAM).
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
http://tiffany.indyramp.com/mailman/listinfo/masq
Admin requests can be handled by web (above) or [EMAIL PROTECTED]
