Re: NAT counting

Lamont Granquist (lamont@scriptkiddie.org)
Sun, 9 Feb 2003 11:01:51 -0800 (PST)


On Fri, 7 Feb 2003, Helge Hafting wrote:
> On Thu, Feb 06, 2003 at 09:46:44AM -0500, Stephen Clark wrote:
> > Hi all,
> >
> > Is Linux being fixed to prevent this?
> >
> >
> > "how to remotely count the number of machines hiding behind a NAT box"
> > <http://www.research.att.com/%7Esmb/papers/fnat.pdf> /
> >
> Not a problem. The purpose of NAT isn't to "hide" stuff, but
> to share an ipv4 address. If you need more than that, let a
> firewall mangle your packets in interesting ways.
> You can probably do that with linux if you really want to...

NAT should work correctly though. It'd be nice if it didn't violate RFC
1323 by having non-monotonically increasing TCP timestamps for machines
that it is NAT'ing. The RFC 1323 violations are proably just as useful as
the IPid field for this "NAT counting" *and* they can break things in
certain situations (e.g. receiving a SYN to a TIME_WAIT socket with a
smaller TCP timestamp). I wouldn't mind at all if someone tried to fix
iptables so that it would do all the proper header munging to hide the
fact that there were multiple machines behind it (obviously this would be
slower, so it'd need to be an option that wasn't on by default...)

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/