On 22 Nov 2017, at 7:36 (-0500), Martin Gregorie wrote:
On Wed, 2017-11-22 at 00:39 -0500, Bill Cole wrote:
A related and increasingly common (dunno why) source of never
hitting DNSBL rules is a form of firewall/router NAT sometimes
called
"Secure NAT" where inbound connections have their source IP's
replaced with the IP of the device handling the NAT.
Thanks for the heads-up on this 'Secure NAT' facility: this the first
I've heard of it, but I don't buy ADSL routers very often.
I don't think i've ever seen it in ADSL or DOCSIS routers except for
"hairpin" connections where an inside device tries to connect to an
outside address. Which is probably a bug...
I have seen it behind Cisco PIX/ASA devices, F5 BIG-IP load balancers,
and some software-defined networking subsystems in "cloud" environments.
I have a slightly OTT question about it: in your experience has this
'Secure NAT' facility been selectable as part of the device's
configuration or is it always on?
I've always run into it from the standpoint of a network tenant or
advisor to a network tenant not a network admin, i.e. managing servers
on a RFC1918 network whose border gateways I don't directly control or
helping someone in that situation. For example, I worked some years ago
in a corporate environment where F5 had recently landed a big deal and
everything suddenly needed to be behind a pair of BIG-IP load balancers,
even the outside mail cluster. I didn't like it beforehand, but when it
was done and the guy who'd taken the F5 kickback^W^W^W^W approved the F5
contract suddenly started to get a flood of spam, I discovered that
"Secure NAT" was apparently the default. In that case I got my MTAs
released from captivity, since DNS does good-enough load balancing for
mail. More recently, I had a *considerate* net admin ask me if I wanted
his ASA to do "smtp fixup" (NO) and/or "secure NAT" (NO) for a mail
cluster, so I guess it's at least optional for the ASA (and probably
whatever old PIXs are still out there.) For cloud/SDN environments I
don't know which providers default which way, but generally speaking if
you point a MX to a cloud provider, you should shell out for a real IP
that isn't fiddled with, not a NAT address.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Currently Seeking Steady Work: https://linkedin.com/in/billcole
