![]() But some of us need to use it so please enough with this 'propaganda' about NAT. What I really don't understand is what is the problem? If someone does not want to use NAT (for ideological IPv6 nonsense or because there is no need) then don't use it. Or just because the so called IPv6-evangellists say there shouldn't be NAT, that does not mean that there are not legit use cases for some networks. Just because you don't need it or you don't like it doesn't make it 'wrong'. By that logic if you are using NAT on IPv4 (which I am sure you do) then you are doing something wrong. No offense, but that's just a lame argument and you know it. If you need to use NAT with IPv6 you're doing something wrong. It won't hurt those who oppose NAT but it will help those who need it for whatever reasons (good or bad - in network engineering terms). I am sure many people will appreciate it. ![]() Please consider adding support for NAT66. Since RouterOS is essentially linux based, and since the linux kernel in recent versions does support NAT66 it's merely a matter of integrating an already implemented feature on ROS UI/CLI (ok that's a speculation on my part, but I mean the hard work - implementation - has already been done ). It would be a shame to not implement it when giants like Juniper do. Regardless of the RFCs though, I believe NAT66 is an extremely useful feature. There is also an RFC about NPT (Network prefix translation) - also useful. rview.htmlĪlso CentOS for example with kernel 3.7+ already supports NAT66 Some advanced filtering can by applied to tcp packet state.IPv6-to-IPv6 NAT (NAT66), defined in Internet draft draft-mrw-behave-nat66-01, IPv6-to-IPv6 Network Address Translation (NAT66), is fully supported by the Junos OS. ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr \ Instead of simply dropping attacker's packets (with 'action=drop') router can capture and hold connections and with a powerful enough router it can slow the attacker down. LIMIT should be a value of 100 or even higher as many services use multiple connection (HTTP, Torrent, other P2P programs). ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32 \Īction=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d Are there too many suspicious connections?Īn IP address with too many connections can be added to a 'black-list' type address list for further blocking.Are there too many packets per second going through any interface?.Are there too many connections with syn-sent state present?.Track attack path and block it closer to source (by upstream provider).Reduce the number of firewall rules, queues and other packet handling actions. ![]() But there are some methods for minimising the impact of an attack. Every service can become overloaded by too many requests. Generally there is no perfect solution to protect against DoS attacks. All operations on packets which can take significant CPU power like firewalling (filter, NAT, mangle), logging, queues can cause overloading if too many packets per second arrives at the router. Which means that the CPU usage goes to 100% and router can become unreachable with timeouts. DoS (Denial of Service) attack can cause overloading of a router.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |