I'm not on this mailing list, so pleas copy me in any replies and please
forgive me if its an old question (I've checked the Firewall FAQ on
clark.net).
I work in the Bull Unix R&D centre in France. The Bull firewall product,
NetWall, is developped here. The developers of NetWall have implemented a new
Dynamic Address Translation function in NetWall, and I'm looking for
information on the limitations inherent in the technology they're using.
Basically the new dyanmic address translation in netwall replaces the calling
address and port number in TCP and UDP "connection" requests coming from a
"mapable" host by the IP address of the interface by which the packet exits
the machine. The source port is replaced by a number grater than 65000.
For starters I've no idea how its possible to generate TCP frames with source
port numbers grater than 2 to-the-power-of 16. But I suppose its documented in
an RFC somewhere.
I've heard that this type of dynamic address translation has also been
implemented by Cisco, and that its called "Source Port Multiplexing" or
"Source Port Mapping" or something.
Obvoiusly this technology only supports TCP and UDP communications. However I
have the unnerving feeling that some commonly-used services wont like this
sort of magic. The engineering has told me that FTP is supported, but
what about sendmail?
Has anybody had any experience with a real-life application of this sort of
technology, and are there any "gotchas" that you could help us avoid?
Thanks
Ciaran
+-------------------------------------------------------------------------+
Ciaran Deignan Tel: (France) 04 76 29 79 92
BULL OSPBU (http://www-frec.bull.com) Internet Support Project Leader
Office: C1/048 Bullcom: 229 79 92
Mail to: B1/054 or C .
Deignan @
frec .
bull .
fr Fax: 229 78 62
+-------------------------------------------------------------------------+
Follow-Ups:
|
|
