Firewall Wizards mailing list archives
Re: NAT vs translation vs routing in Gauntlet firewall
From: "Mordechai T. Abzug" <morty () frakir org>
Date: Thu, 13 Jun 2002 19:22:00 -0400
On Thu, Jun 13, 2002 at 08:39:56AM -0400, George Lewis wrote:
We're running Gauntlet 5.5 on Solaris 2.6 (we've just started the upgrade process to Gauntlet 6.0). I was asked recently whether we were using NAT on the firewall, and my answer was no, butit does translate all internal IP addresses to a single external address. The reason I answered no is that Gauntlet does provide NAT support, but it not configured to do so. I was then asked whether it was doing routing, to which I said yes, but I'm told that's not the case. So, I don't have NAT configured, but the firewall does translate addresses, and apparently is not routing. Can anyone provide insight into this subject? Gauntlet does translate addresses, but is that NAT? Is NAT and routing mutually exclusive, such that it either NATs or it routes, or is there something in between?
Normally, NAT and NAT-P imply routing -- you can't do a regular NAT unless you're also routing. All NAT devices are routers, but not all routers are NAT devices. Now, if you're using gauntlet transparent proxies, not NATing, and configuring gauntlet to not use the source addresses, gauntlet will use the firewall's IP for outgoing connections. This looks like NAT, but isn't -- NAT and NAT-P are modifying packets at layers 3 and 4, while transparent proxies use a slightly different technology (port redirection) on the client side to intercept packets, and create an entirely new session on the server side to talk to the server. If you configure a transparent proxy to use the original source address, ironically, it looks to an outside observer more like a simple routed connection, but it requires more translation by the proxy to achieve the additional transparency. Implementing any amount of transparency on the firewall requires routing to be enabled. Note that some people say "route" when they really mean "packet filter". A gauntlet with transparent proxying and no packet filter rules is still routing. If you proxy without transparency enabled at all (which requires that your users manually configure their clients to use your proxy) then you don't need to have any routing enabled, and you don't need NAT or anything similar. Again, the proxy will create a whole new session on the server side, terminated with its own IP. This might look like NAT to an observer, but it isn't. - Morty _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- NAT vs translation vs routing in Gauntlet firewall George Lewis (Jun 13)
- Re: NAT vs translation vs routing in Gauntlet firewall Mordechai T. Abzug (Jun 14)
- Re: NAT vs translation vs routing in Gauntlet firewall Dave Piscitello (Jun 25)
- Re: NAT vs translation vs routing in Gauntlet firewall Jason Lewis (Jun 26)
- Re: NAT vs translation vs routing in Gauntlet firewall Dave Piscitello (Jun 25)
- Re: NAT vs translation vs routing in Gauntlet firewall Mordechai T. Abzug (Jun 14)