* Jeff Bonner (jeff@integralogic.com) [020208 21:30]: > I'm trying to figure out some things about using MASQUERADE instead of > SNAT. I have made some assumptions below, please correct me if I'm > wrong. > > 1) What is the benefit of doing it this way -- not having to specify the > external IP? If so, I guess it gets the IP from inside the kernel, like > you would normally grep 'inet addr' out of ifconfig. Does that mean the > firewall doesn't have to be run every time the DHCP changes? Right. MASQUERADE is intended for use with dynamic addresses. The other thing that it does differently is that if the link goes down, entries in the nat table will be dropped with MASQUERADE. If you're using SNAT, the entries stay in the table in case the link comes back up momentarily. This makes sense for MASQUERADE, because when the link comes back up, the address will (could) be different anyway, so the connections won't ever be resumed. > > 2) The docs say this will use more overhead than SNAT, since it seeks > the external IP every time a chain is traversed. How much more > intensive is it? Will a 486/66 with 24MB be enough for 5 LAN users? I think you'll be fine, if that's all the box will be doing. I'd bet that the difference is very small. If you keep it lean enough there should be no problems. I bet a box like that could even run apache and/or an MTA for you, too, without problems. > > 3) Are there any security implications using MASQUERADE instead of SNAT > (less/more secure)? I don't think so; I've never heard of any such things. good times, Vineet -- Currently seeking opportunities in the SF Bay Area Please see http://www.doorstop.net/resume/ -- "I disapprove of what you say, but I will defend to the death your right to say it." --Beatrice Hall, The Friends of Voltaire, 1906
Attachment:
pgpxHhqT3rWbO.pgp
Description: PGP signature