From owner-freebsd-net Wed Mar 29 6: 8:20 2000 Delivered-To: freebsd-net@freebsd.org Received: from catatonia.ip.versatel.net (catatonia.ip.versatel.net [212.48.44.33]) by hub.freebsd.org (Postfix) with ESMTP id 1583F37B579 for ; Wed, 29 Mar 2000 06:07:38 -0800 (PST) (envelope-from joshua@roughtrade.net) Received: from localhost (joshua@localhost) by catatonia.ip.versatel.net (8.9.3/8.9.3) with ESMTP id QAA72615; Wed, 29 Mar 2000 16:07:21 +0200 (CEST) (envelope-from joshua@roughtrade.net) Date: Wed, 29 Mar 2000 16:07:21 +0200 (CEST) From: Joshua Goodall X-Sender: joshua@catatonia To: Randy Bush Cc: "Brian O'Shea" , freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > nats kindly create and generate the mappings for he attacker. not if you are using a raw natd like many of us might use on a home cable-modem-connected network e.g. # /sbin/ifconfig fx0 inet 10.1.1.1 netmask 0xfffffe00 # /sbin/dhclient de0 # /sbin/natd -dynamic -n de0 or the rc.conf equivalent thereof. However, I think Randy is essentially warning that each private address can be statically mapped to a public one, demonstrating that NAT is not necessarily a security feature, it's a convenience. Security comes from application-layer content filtering, thorough logging, packet filtering, competent administration, regular sweeps, subscriptions to bugtraq et al, and so on into the darkness. - J To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message