Firewall Wizards mailing list archives
Re: How should NAT terminate ?
From: "TC Wolsey" <twolsey () realtech com>
Date: Mon, 10 Jan 2000 10:11:06 -0500
Darren Reed <darrenr () reed wattle id au> 01/10/00 03:13AM >>> Here's something for folks out there to have a think about. You have your dialup PC, sitting at home, gatewaying your workstation from which you surf away on the web. Your link drops, you redial and get a new IP# for your NAT sessions. For at least some period of time, your old IP# may be black holed, or worse, allocated to another Internet user. The second case is worse because small amounts of your web session *may* leak to someone else. Whatever the case, there is a period of time in which the original endpoints believe a connection exists, which no longer does. Should a pre-emptive strike be lunched by the firewall to blow these away by doing something like sending TCP RST's ? What about for DNS/NTP queries - are ICMP unreachables appropriate ? Darren
Attempting to terminate the connection seems like a good idea, but how is it done reliably in an environment where the firewall does not terminate the data-link connection to one side of the connection? In a dialup environment I would guess that you would look for host/destination unreachables from some point inside the firewall and close the connections based on that info. Of course that would require filtering on each line to prevent a DoS where one inside attacker host spoofs unreachables which would cause the firewall to close active connections to the victim host. What happens in a broadcast capable environment where the blackhole exists for a longer period (say an arp timeout)? Also in this environment the unreachables have to be filtered at two layers, the typically static data-link and the dynamic network. Regards, --tcw
Current thread:
- How should NAT terminate ? Darren Reed (Jan 09)
- Re: How should NAT terminate ? Mikael Olsson (Jan 10)
- Re: How should NAT terminate ? Darren Reed (Jan 12)
- Re: How should NAT terminate ? Mikael Olsson (Jan 15)
- Y2K fix for 'elm' (Was: Re: How should NAT terminate ?) Joseph S D Yao (Jan 20)
- Re: Y2K fix for 'elm' (Was: Re: How should NAT terminate ?) Darren Reed (Jan 20)
- Re: How should NAT terminate ? Darren Reed (Jan 12)
- <Possible follow-ups>
- RE: How should NAT terminate ? Ben Nagy (Jan 10)
- RE: How should NAT terminate ? Johnny Shelley (Jan 12)
- Re: How should NAT terminate ? Darren Reed (Jan 12)
- Re: How should NAT terminate ? TC Wolsey (Jan 10)
- RE: How should NAT terminate ? James R Grinter (Jan 12)
- RE: How should NAT terminate ? Ben Nagy (Jan 13)
- Re: How should NAT terminate ? Mikael Olsson (Jan 10)