>NetBSD _does_ support IP masquerading, although NetBSD uses the term IPNAT
>(network address translation) which is what everyone else in the world
>except linux uses.

Just an oddity that I thought might interest some people...

I was talking to a linux/x86 guru a couple of weeks ago who uses IP-Masq,
and when I explained to him what we do with NAT, he told me that they are
not quite the same thing.  Apparently, IP-Masq doesn't necessarily redirect
the ports; when I send an outgoing connection to the internet through an
IP-Masq box, it (he thought) uses the same port on the linux box as the
originating machine had used.  This would mean, among other things, some
really hairy redirection tables in the kernel (not that the user ever sees
them) and some proxies getting used instead of simply reassigning the
packet and resending it the way NAT does.  This is all transparent to the
internal unit.  However, I am assured that IP-Masq is actually a smidgen
more secure because of this, since you can't just "jump back through a
redirected port before the NAT table drops that redirection" or some such.
Of course, the odds of that being a usable security hole are pretty darn
slim, I should think.

Any thoughts?  Or have I misunderstood the nature of things?  I always
thought that they were the same.  I haven't yet gotten around to asking
Darren Reed (the ipfilter guy), although I suspect he's still pretty busy.
But he'd know if anyone did.


--Charlie   pretender@macstore.com   http://bronte.macstore.com/pretender
"Complete this sentence: the meek shall inherit..."
"...what they're bloody well given. And be thankful for it."