Zhen-Xjell interesting. I have deliberatly not mentioned "off the shelf" hardware solutions for 2 reasons...
1. It a pretty emotive subject for some people (sad I know) lol
2. I dont have much hands on experience with non carrier class firewalls.
But in generall i agree hardware/seperate firewalls are hard to beat and this "Zap" client-server functionality sounds very interesting.
This turned up in my inbox from a security mailing list. It is a nice quick description of NAT/PAT and thought it might be worth posting here. I would normally post just a link to the refernce but I dont think this mailing list is open in this way. Hope it is not out of place / offend.
F
[Snip]
Tim,
Well, as you probably know, NAT (Network Address Translation) is the idea of one internal address to one external address, or one to one.
PAT is the idea of One to Many, ergo many internal addresses to one external address.
So, there are 655536 possible ports. And you only have one IP address externally. But most internal users will only use 5-10 actual outgoing ports.
Here's the basic principle. You create a single IP address that is used external to the network, and have many internal machines point to it. Then, when those internal machines attempt to contact the external network, the firewall/router makes a table (called a state table on Cisco gear) that holds the internal IP address and port, and translates it to the (single) IP address and picks the next available port on that external IP. If the firewall/router is a good firewall/router, the next available port isn't usually the next numerical port. Hopefully, it's chosen by random chance, or an algorithm routine that is close enough.
Advantages are as follows;
1. You only require one single IP address on that external network.
2. It tends to be quick to set up, and scales up to large amounts of internal users.
3. PAT makes Link Sys and other types of home broadband routers a viable solution.
Problems with this are as follows;
1. It is hard to track who is actually using which port, and who may be using the external network access for malicious reasons, since you only have one single IP to get back to, and the state table may have refreshed by the time you track back to the firewall/router.
2. Some programs may require identical ports on both ends; for example, IPSEC VPN tunnels tend to die if more than one internal user is using the ports it requires.
3. If you have a significant number of users going out, you will eventually run out of ports. This is why you want a firewall that has very good scavenging.
4. You cannot use a PAT address for serving services to the external network/internet. There are no reserved addresses. Unless you use a universal PAT, that allows all incoming traffic to certain internal addresses, c.f. PIX 501, Link Sys firewall routers after March 2001.
5. The state table that has to be built for PAT tends to be a little more involved, thus costing the firewall/router a little more memory, and a little more time.
I hope that made PAT clear as mud. There's a lot more to do with it, including the header manipulation... but that's something you need an RFC for.
Here's one.
http://www.geektools.com/rfc/rfc1631.txtYou can search
http://www.geektools.com/rfc for other Requests.
Seamus Hartmann
[Snip]
Fatboy