I have had shorewall running successfully on my linux firewall/router/server for several months now. As an aside, I like it''s straightforward approach to configuration. Today I added a 1:1 NAT connection to an Exchange 2007 server, with hardly any problems at all (well, I initially forgot to include the ACCEPT rule for the server, thinking the entry in the nat file took care of everything, but re-reading the shorewall manual let me catch that mistake). My question is this: are there any significant downsides (particularly security downsides) to doing 1:1 NAT as opposed to Proxy ARP? I''m ignoring DNAT, perhaps inappropriately, because I think it would be hard to get RPC over HTTP to work using DNAT. I didn''t go the Proxy ARP route because (a) 1:1 NAT struck me as simpler (two config file entries and I''m done) and (b) because I have to have the Exchange server available to clients behind the firewall I''d have to multihome the Windows box (i.e., give it both a valid external IPv4 address and a valid LAN-local IPv4 address), and I wasn''t sure how Exchange would react to that. - Mark ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Mark Olbert wrote:> My question is this: are there any significant downsides (particularly > security downsides) to doing 1:1 NAT as opposed to Proxy ARP?Hi Mark, I can''t think of any difference, since either way the traffic is hitting the Exchange machine. How it gets there doesn''t matter.> I''m ignoring DNAT, perhaps inappropriately, because I think it would be hard > to get RPC over HTTP to work using DNAT.I am using DNAT for https and it Just Works. But I only have Windows Mobile and Symbian clients on the outside doing Active Sync, so take my words with a grain of salt. In other words, I have no Outlook clients on the outside. The http port is handled by apache2 on the firewall doing name based forwarding without any troubles at all. Side note: I don''t like to have the Exchange box directly exposed at all (https being an exception, but that can be fixed too), so I use proxies between Exchange and the internet: apache for http, exim for smtp and perdition for imap and pop. Another benefit of the apache proxy is that anyone scanning and trying out exploits but doesn''t use any of your host names is caught by apache. Such traffic doesn''t reach the Exchange box. Exim is doing LDAP lookups against the AD to verify recipients before accepting mail.> - MarkBest regards, /Martin Leben ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Mark Olbert wrote:> > My question is this: are there any significant downsides (particularly > security downsides) to doing 1:1 NAT as opposed to Proxy ARP?No. Both depend on routing -- they just use different tricks to make routing work. My objection to NAT is that it can confuse your servers as to their true identity and can make you use split DNS or hacks like described in Shorewall FAQ 2.> > I''m ignoring DNAT, perhaps inappropriately, because I think it would be hard > to get RPC over HTTP to work using DNAT. >1:1 NAT is equivalent to a DNAT- rule coupled with a corresponding entry in /etc/shorewall/masq. It isn''t magic.> I didn''t go the Proxy ARP route because (a) 1:1 NAT struck me as simpler > (two config file entries and I''m done) and (b) because I have to have the > Exchange server available to clients behind the firewall I''d have to > multihome the Windows box (i.e., give it both a valid external IPv4 address > and a valid LAN-local IPv4 address), and I wasn''t sure how Exchange would > react to that.If you have an internet-exposed machine behind the firewall with other client systems, then if the server gets hacked there is nothing between the hacked server and those other systems. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
> 1:1 NAT is equivalent to a DNATOn that note, I''m using DNAT for the same purpose as the original poster and it works fine. - Bob Coffman ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Tom, Being a novice vis-à-vis shorewall, would you mind sharing what the equivalent rule and entry would be? - Mark> -----Original Message----- > From: Tom Eastep [mailto:teastep@shorewall.net] > Sent: Monday, September 01, 2008 4:39 PM > To: mark@arcabama.com; Shorewall Users > Subject: Re: [Shorewall-users] 1:1 NAT Question > > Mark Olbert wrote: > >> My question is this: are there any significant downsides >> (particularly security downsides) to doing 1:1 NAT as opposed to Proxy ARP? > > No. Both depend on routing -- they just use different tricks to make routing work. My objection to NAT is that it can confuse your servers as to their true identity and can make you use split DNS or hacks like described in Shorewall FAQ 2. > >> I''m ignoring DNAT, perhaps inappropriately, because I think it would >> be hard to get RPC over HTTP to work using DNAT. >> > > 1:1 NAT is equivalent to a DNAT- rule coupled with a corresponding > entry in /etc/shorewall/masq. It isn''t magic. > > >> I didn''t go the Proxy ARP route because (a) 1:1 NAT struck me as >> simpler (two config file entries and I''m done) and (b) because I have >> to have the Exchange server available to clients behind the firewall >> I''d have to multihome the Windows box (i.e., give it both a valid >> external IPv4 address and a valid LAN-local IPv4 address), and I >> wasn''t sure how Exchange would react to that. > > If you have an internet-exposed machine behind the firewall with other > client systems, then if the server gets hacked there is nothing > between the hacked server and those other systems. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 3412 (20080903) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 3416 (20080904) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com >-- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key __________ Information from ESET NOD32 Antivirus, version of virus signature database 3416 (20080904) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Mark A. Olbert wrote:> Tom, > > Being a novice vis-à-vis shorewall, would you mind sharing what the equivalent rule and entry would be? >Assuming that eth0 is the ''net'' interface: In /etc/shorewall/nat: 206.124.146.177 eth0 192.168.1.44 Is equivalent to: /etc/shorewall/rules: DNAT- net loc:192.168.1.44 - - - 206.124.146.177 and /etc/shorewall/masq: eth0 192.168.1.44 206.124.146.177 In Shorewall 4.2, you can leave the ''loc:'' out of the DNAT- rule. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Thanks. I was experimenting on my own and had come up with the following: 1) I''m masquerading the entire 192.168.1.0/24 subnet to my "primary" external IP, including the Exchange server which I want to DNAT to a different IP address. Here''s the line currently in masq (eth1 is my external interface while eth0 is my internal interface): eth1 eth0 66.159.230.119 2) In rules I inserted the following: DNAT net loc:192.168.1.200 tcp www,https - 66.159.230.120 I only need to DNAT the regular and secure http protocols.>From reading your email, I think my approach is mistaken in point #1 because I shouldn''t nat the Exchange server to the primary external IP when I''m DNATing the secondary IP to that same server. I think I need to change my masq entry to the following:eth1 eth0:!192.168.1.200 66.159.230.119 But if I do that won''t the Exchange server be unable to access the internet because it won''t be masqueraded? Or can that be fixed by adding the following to masq: eth1 eth0:192.168.1.200 66.159.230.120 Separately, what does generating the ACCEPT rule (from my DNAT entry in rules) do that excluding it (by changing DNAT to DNAT-) would fix? - Mark -----Original Message----- From: shorewall-users-bounces@lists.sourceforge.net [mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Friday, September 05, 2008 10:34 AM To: Shorewall Users Subject: Re: [Shorewall-users] 1:1 NAT Question Mark A. Olbert wrote:> Tom, > > Being a novice vis-à-vis shorewall, would you mind sharing what the equivalent rule and entry would be? >Assuming that eth0 is the ''net'' interface: In /etc/shorewall/nat: 206.124.146.177 eth0 192.168.1.44 Is equivalent to: /etc/shorewall/rules: DNAT- net loc:192.168.1.44 - - - 206.124.146.177 and /etc/shorewall/masq: eth0 192.168.1.44 206.124.146.177 In Shorewall 4.2, you can leave the ''loc:'' out of the DNAT- rule. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key __________ Information from ESET NOD32 Antivirus, version of virus signature database 3419 (20080905) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 3419 (20080905) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/