Firewalls: Re: Stateful Packet Filters vs. Proxies

Firewalls
(June 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Stateful Packet Filters vs. Proxies
From:	Geoff Mulligan <geoff @ mulligan . com>
Date:	Mon, 09 Jun 1997 12:26:08 -0600
To:	Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Cc:	"Kelly E. Gibbs" <kgibbs @ best . com>, Bill Stout <stoutb @ pios . com>, firewalls <firewalls @ GreatCircle . COM>
In-reply-to:	Your message of "06 Jun 1997 20:04:23 EDT." <199706070257 . TAA09836 @ notesgw2 . sybase . com>

Ryan .
 Russell @
 sybase .
 com said:
> Well, the NAT I'm talking about specifically (IP NAT products like the
> ones from Checkpoint and Cisco, and probably others) work at layer 4.
> They need to understand TCP and so-forth. One could write one that
> works strictly at layer 3, but for many IP protocols it wouldn't work
> very well, and certainly wouldn't work for many-to-few NAT
> implementations. 

One cannot write a NAT that functions only at layer 3-IP (if you are referring
to the ISO layering labels).  Any change of address in the IP header cascades
into the pseudo header in UDP and TCP and must be reflected in a change in the
their checksums.

	geoff

References:

Re: Stateful Packet Filters vs. Proxies
From: Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>

Indexed By Date	Previous:	Re: Stateful Packet Filters vs. Proxies From: "Paul D. Robertson" <proberts @ clark . net>
Indexed By Date	Next:	Re: Stateful Packet Filters vs. Proxies From: Geoff Mulligan <geoff @ mulligan . com>
Indexed By Thread	Previous:	Re: Stateful Packet Filters vs. Proxies From: Ryan Russell/SYBASE <Ryan . Russell @ sybase . com>
Indexed By Thread	Next:	Re: Stateful Packet Filters vs. Proxies From: Chris Lonvick <clonvick @ cisco . com>