Web lists-archives.com

Re: Why does Debian allow all incoming traffic by default




On Sat, 22 Sep 2018 10:38:52 +0200
Pascal Hambourg <pascal@xxxxxxxxxxxxxxx> wrote:

> Le 22/09/2018 à 09:39, Joe a écrit :
> >
> > Two layers of NAT work just fine, for anything but IPSec.  
> 
> 1) Even one single layer of NAT can cause trouble with other 
> applications that IPSec : FTP, SIP...
> 

Yes, but one can reasonably expect NAT hardware to also deal with
tracking of multiple port/protocol communications. Pretty much the same
basic code does both jobs, as well as stateful firewalling. There's a
reason that NAT is implemented by iptables rules. Only IPSec ties in
the endpoint IP addresses as well.

> 2) IPSec works through NAT, provided that you enable UDP
> encapsulation aka NAT-T.
> 
Yes, there's more to go wrong, though. IPSec is commonly used to
provide pretty much fixed communication between organisations, so
terminating it on the Internet interface rather than on an internal
machine makes sense, as well as keeping it simple with just the public
IP addresses. Other VPNs such as PPTP are more commonly used from
internal workstations. PPTP will pass through two* layers of NAT at
each end without special provision being made, apart from forwarding of
course.

*Presumably unlimited layers, but I've actually done two at each end. I
don't like commenting on any communications method until I've made it
work myself. I've had a certain amount of trouble with IPSec, though to
be fair that was in the days when most router manufacturers were still
getting the hang of connection tracking. There was plenty of early NAT
router firmware which didn't even handle PPTP well.

-- 
Joe