Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.mel.connect.com.au!munnari.OZ.AU!spool.mu.edu!usenet.eel.ufl.edu!news.mathworks.com!news.kei.com!newsfeed.internetmci.com!in2.uu.net!brighton.openmarket.com!decwrl!usenet.cisco.com!iverson From: iverson@cisco.com (Tim Iverson) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: IP Masqerading? Date: 16 Aug 1996 02:19:55 GMT Organization: cisco Lines: 132 Message-ID: <4v0lsb$6uv@cronkite.cisco.com> References: <jfortes-1307951117380001@10.0.2.15> <320F6E48.1EF468BB@lambert.org> <4urdc4$87m@herald.concentric.net> <32127AB2.21876B97@lambert.org> NNTP-Posting-Host: rottweiler.cisco.com In article <32127AB2.21876B97@lambert.org>, Terry Lambert <terry@lambert.org> wrote: |Daniel Ts'o wrote: |> Being uninformed, my impression is that proxying via the toolkit |> Socks is very application specific. It would be nice to have a more |> general solution. Isn't masquerading more general ? Hmmm. I just wrote a large, and rather argumentative followup to Terry's NAT opinion. It's down below if you care to read that far. The answer to your question depends on what solution you are trying to solve. NAT and proxies are designed to solve different problems. NAT will allow you to map one block of IP addresses to another. Socks does that as a side-effect -- it's purpose is to provide secure access across a firewall. If your goal is security, a proxy is often easier to setup than NAT, though you can be equally secure and compliant with either -- it depends entirely on the implementation and installation of the NAT and the proxy. If you require a transparent proxy for FreeBSD right now, IPFilter's NAT is the only free solution. Socks-5 is not 100% transparent -- it's still a true proxy and requires client support. However, there is a Win-95 daemon for socks-5 that can provide transparency for apps on that OS; it's buggy, but it may work for you. - Tim Iverson iverson@lionheart.com Here's the rest of my response ... don your asbestos, Terry! |> Socks is very application specific. It would be nice to have a more |> general solution. Isn't masquerading more general ? | |No, it is not. It is invalid because it violates the following RFC's: Hmmm. This seems to directly contradict the Socks-5 RFC. Allow me to quote RFC-1928 3.: "When a TCP-based client wishes to establish a connection to an object that is reachable only via a firewall (such determination is left up to the implementation), it must open a TCP connection to the appropriate SOCKS port on the SOCKS server system." In other words, if your application doesn't support socks, you can't use it. So, NAT is more general than Socks. Second, if you have a daemon that catches direct requests and translates them into socks requests, you have done *precisely* what NAT does. The difference is that you now need a daemon on every client to perform the socks translation instead of just a single NAT agent on the firewall. Also, while we're on the subject of RFCs -- they are not law. They're just a *guideline* on how to achieve interoperability. Strict adherence to all RFCs does not come close to guaranteeing functionality. If you can talk to those you need to talk to without annoying others in the process, then you need do nothing more. Lastly, not all NATs are created equal. Some break lots of RFCs, others do just a good a job as socks-5+firewall. In all cases, it depends on both implementation and installation. YMMV is the law here. |o RFC-1919... "Classical versus Transparent IP Proxies". This "breakage" is merely a warning that indiscriminate use of transparent proxies (eg. NAT without a filter), can result in a breach in your firewall. |o RFC-1256 ICMP router discovery doesn't work through a | "masquerade". It doesn't work past a firewall, either, nor would you want it too. In essence, so what? |o RFC 1063 MTU discovery doesn't work through a "masquerade"; Uh, and why not? Even blind NAT will have no problem properly conveying the information for this option, which may not even be supported by the client hiding behind the NAT. |o RFC-1477 IDP touches on proxy requirements which seem to not | be met by "masquerading". Again, if the NAT supports IDPR, you'll have no problem using it. I doubt anyone using FreeBSD will want to use it. |o RFC 1935 "Looking at Firewalls", paragraph 2. Using "IP | masquerading" would allow a client to supply outside | services. <sigh> So what? If you need NAT, use it. Yes, it takes quite a bit of work to keep a *large* NAT'd network secure, but most of us that *need* NAT are running small and relatively simple networks that are easy to secure. |o RFC 1272 requires that "proxy agents have to do their own | accounting for services, since the network cannot | distinguish on whose behalf they are acting.". You're really reaching here. Accounting is always a matter of personal taste and NAT or not, you can always add more to meet your needs. |1) Socks5 -- that's Socks****5**** -- supports proxying without | modifying applications. Absolutely it does not. See above, where I quoted RFC 1928, the SOCKS-5 protocol spec.. If your app doesn't support the socks protocol or you don't have a daemon performing translation to socks-5, you're SOL. And, daemon+socks is exactly the same as NAT+filter, not to mention that the only translating daemon I know of is for Win-95 and is somewhat buggy. |2) You can use NAT. Be aware that you are in violation of the | RFC's which you must implement to be allowed on the Internet | as a "good network citizen" if you enable some types of | packet forwarding. This is incredibly misleading. Using NAT may cause *you* some problems if you try NAT'ing a large network. It almost certainly won't cause anyone else any problems unless you do something grossly incorrect, like NAT to someone else's IP block. Obviously, you have something of an axe to grind wrt. NAT -- it sounds like you may be currently supporting a large network or three, which would explain why. NAT on large networks can be a nightmare. However, used judiciously, it can be a godsend on smaller networks. I save several hundred dollars a month using NAT to a single IP instead of renting an IP block and I don't really see any compelling reasons to abandon IP-Filter + NAT in favor of Socks-5 + ipfw. Quite the opposite, in fact. - Tim Iverson iverson@lionheart.com