Firewall Wizards mailing list archives
Re: NAPT - NAT Port selection
From: Harald Welte <laforge () netfilter org>
Date: Tue, 24 Aug 2004 11:54:19 +0200
On Fri, Aug 20, 2004 at 09:05:37AM +0530, ravivsn () www rocsys com wrote:
Internally, among developers, we discussed this issue and we came out with one suggestion - Reusage of NAT port in multiple sessions, as long as atleast one of 5 tuples is different - Since source IP is same (public IP address), destination IP or destination port has to be different.
yes, this is what every linux 2.4.x and linux 2.6.x based system does (linux-2.4 and 2.6 use netfilter/iptables (http://www.netfilter.org/))
I solicit your feedback on this. - Is it good for NAPT device to use same NAT port for different sessions, if they are going to different destination (based on Destination IP and Port)? Do you see any problems associated with this apart one mentioned above?
It is questionable whether it is 'good'. I (as one of the netfilter authors) think it is good as in - tries to preserve port numbers as much as possible and not make applications relying on portnumber persistency break - minimun use of ressources (i.e. more than 64k sessions). However, there is a group working on a NAT Behaviour draft within the IETF that discourages this (they call it 'port overloading'), since it creates less deterministic behaviour.
- Any experiences?
no problems whatsoever. Please keep in mind the number of linux installations, especially in embedded devices sold as WLAN and DSL 'Routers'.
Thanks in advance Ravi
-- - Harald Welte <laforge () netfilter org> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
signature.asc
Description: Digital signature
Current thread:
- NAPT - NAT Port selection ravivsn (Aug 20)
- RE: NAPT - NAT Port selection Bill Royds (Aug 20)
- RE: NAPT - NAT Port selection Orca (Aug 22)
- Re: NAPT - NAT Port selection Srini (Aug 22)
- VPN endpoints hermit921 (Aug 25)
- Re: VPN endpoints Kevin Sheldrake (Aug 26)
- Re: VPN endpoints Mason Schmitt (Aug 26)
- VPN endpoints hermit921 (Aug 25)
- Re: NAPT - NAT Port selection Devdas Bhagat (Aug 22)
- Re: NAPT - NAT Port selection Harald Welte (Aug 25)