Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.mel.connect.com.au!news.mira.net.au!inquo!in-news.erinet.com!ddsw1!news.mcs.net!nntp04.primenet.com!nntp.primenet.com!news.mathworks.com!enews.sgi.com!decwrl!usenet.cisco.com!iverson
From: iverson@cisco.com (Tim Iverson)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: IP Masqerading?
Date: 19 Aug 1996 22:40:15 GMT
Organization: Lionheart Software
Lines: 61
Message-ID: <4vaqgf$2d7@cronkite.cisco.com>
References: <jfortes-1307951117380001@10.0.2.15> <32127AB2.21876B97@lambert.org> <4v0lsb$6uv@cronkite.cisco.com> <32151AD0.699795F7@lambert.org>
NNTP-Posting-Host: rottweiler.cisco.com
In article <32151AD0.699795F7@lambert.org>,
Terry Lambert <terry@lambert.org> wrote:
|[re: NAT]
|Basically, it's for lazy people or cheap people.
|I have no problem with people being cheap, but they should admit
|...
|I have a problem with lazy people. But, since I don't want to
Time is money, so cheap and lazy are equivalent. ;-)
|] The difference is that you now need a daemon on every client
|] to perform the socks translation instead of just a single NAT
|] agent on the firewall.
|
|Actually, you route packets from the local network (which you
|give one of the non-routable addresses) into the tunnel and
|therefore to a socks client. The socks daemon runs on the
|same machine, and you have a static route which you *don't*
|locally advertise, and which differs from the default route
|on the network (which will be the firewall's card address on
|the local net).
Hmmm. I'm pretty clear on what the daemon must do, it lives on FW and
converts socks-naive packets for external addresses into socks5 requests
and socks5 responses into internal socks-naive replies. I'm not too clear
on how you mean to deliver the naive packets to the daemon. However it's
done, it's seems like this is identical to NAT -- the only difference is
that it begs for a user-space design, while NAT leans more toward
kernel-space.
|Given that there are typically better alternatives to NAT in all
|but a few cases (*real* range translation, for instance), I will
|pretty much put all NAT usage in the category "indiscriminate use".
I generally assume that anyone using NAT is running a smart NAT that
properly proxies at least ICMP, and almost certainly other commonly used
protocols as well (eg. FTP). You seem to equate NAT with blind NAT; ie.
pure address translation without anything else.
Basically, what I think of as NAT is what you think of as socks5+daemon,
and what you think of as NAT, I think is a gross hack best left chained to
the fencepost to keep it from eating the neighbor's kids.
|Again, it's not this use that's at issue. It's the use of NAT as
|a lazy-man's fix for something that should be fixed another way.
...
|But of course, as long as people keep making halfway usable
|solutions available, no one is going to buckle down and Do The
|Right Thing. 8-(.
...
|Like I said, it triggers my elegance filter. Nothing personal.
I used to run one of those, but that was back before I discovered that each
day has a 24 hour limit. ;-) Other than satisfying aesthetics, what concrete
gains are there for socks5+daemon over a smart proxying NAT? I don't see
any, especially since I'd call a solution that remapped externally bound
packets via a local S5/daemon 'NAT' -- "a rose by any other name ...".
- Tim Iverson
iverson@lionheart.com