Re: [Nufw-users] NuFW handling NAT users from a remote host

[Vincent Deffontaines]

Radu IONESCU wrote:
> Hello,
> I just discovered NuFW and before digging further, I am asking you to help
> me understand the capabilities/limitations of NuFW in the case of users
> behind a NAT.
> The path is:
>
> user workstation -
> NAT router -
> (backbone) -
> firewall -
> gateway server with NuFW -
> Internet
>
> This is the FAQ:
>
> "How does NuFW react to Source Network Address Translation ?
> NuFW works fine with Source NAT, provided Source NAT is performed on the
> same machine as NuFW, or another machine, but not a host between NuFW
> server
> and the client."
>
> Which means to me that we cannot use NuFW in this case?
> Is it possible to overcome this?
>
> Thank you for any help!
> Best regards,
>

Hi,

The reason why NuFW doesn't work with Source NAT :
NuFW Clients (nutcpc, nuwinc, etc) send authentication to the nuauth
daemon, attaching the user ID with source IP address and source port (for
TCP).

If the packet is rewritten on the way to the NuFW firewall, the client
auth cannot match the packet authentication, and auth plainly cannot work.

There are ways to fallback, but this lowers security quite a lot :
basically only the source IP of the NATed packets can be matched. This
means that packets can quite easily be spoofed by other users, and
definetely is not what NuFW is designed for. (This "solution" actually
fallbacks near "per IP" auth, which we fight against).

Hope this makes sense...

So yes, NuFW works well with SNAT only if the source NAT is performed on
the same box than the one running the nufw daemon.

Also, note that you can run multiple nufw daemons, linked to one nuauth
auth server. (ie, if your SNAT firewalls run Linux, you have a possible
solution)

I hope this is clear enough, do not hesitate to ask for more details if
needed.

Vincent