Re: Comments on NAT RFC

To:	Darren Reed <avalon@cairo.anu.edu.au>
Subject:	Re: Comments on NAT RFC - 4787
From:	Phil Dibowitz <phil@ipom.com>
Date:	Tue, 06 Feb 2007 23:03:52 -0800
Cc:	ipfilter@coombs.anu.edu.au
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	ipfilter-list@securepoint.com
In-reply-to:	<200702062233.l16MXev27354@carus.anu.edu.au>
References:	<200702062233.l16MXev27354@carus.anu.edu.au>
Sender:	owner-ipfilter@coombs.anu.edu.au
User-agent:	Icedove 1.5.0.9 (X11/20061220)

Darren Reed wrote:
> A new RFC has been published with requirements for NATs:
> 
> http://www.rfc-editor.org/rfc/rfc4787.txt
> 
> Which requirements do people think are important to IPFilter,
> where they actually apply?

I think section 9  is really important. Though, it's more related to
filtering than NAT, but it's talking about letting ICMP 3/4 (destination
unreachable) through.

I've voiced this before on this list, but 'keep state' should allow ICMP
related to the connection - particularly 3/4 - through.

-- 
Phil Dibowitz                             phil@ipom.com
Open Source software and tech docs        Insanity Palace of Metallica
http://www.phildev.net/                   http://www.ipom.com/

"Never write it in C if you can do it in 'awk';
 Never do it in 'awk' if 'sed' can handle it; Never use 'sed' when 'tr'
 can do the job; Never invoke 'tr' when 'cat' is sufficient; Avoid
 using 'cat' whenever possible" -- Taylor's Laws of Programming

signature.asc
Description: OpenPGP digital signature

<Prev in Thread]	Current Thread	[Next in Thread>
Comments on NAT RFC - 4787, Darren Reed Re: Comments on NAT RFC - 4787, james woodyatt Re: Comments on NAT RFC - 4787, Phil Dibowitz <=

Previous by Date:	Re: Comments on NAT RFC - 4787, james woodyatt
Next by Date:	Fwd: IPFilter 4.1.13 on Solaris 8, boxyzzy
Previous by Thread:	Re: Comments on NAT RFC - 4787, james woodyatt
Next by Thread:	Fwd: IPFilter 4.1.13 on Solaris 8, boxyzzy
Indexes:	[Date] [Thread] [Top] [All Lists]

Re: Comments on NAT RFC - 4787