From owner-freebsd-net Wed Mar 29 12:18:36 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.rdc1.sfba.home.com (ha1.rdc1.sfba.home.com [24.0.0.66]) by hub.freebsd.org (Postfix) with ESMTP id BA44037B642 for ; Wed, 29 Mar 2000 12:18:08 -0800 (PST) (envelope-from boshea@ricochet.net) Received: from beastie.localdomain ([24.19.158.41]) by mail.rdc1.sfba.home.com (InterMail v4.01.01.00 201-229-111) with ESMTP id <20000329201805.MOSL13305.mail.rdc1.sfba.home.com@beastie.localdomain>; Wed, 29 Mar 2000 12:18:05 -0800 Received: (from brian@localhost) by beastie.localdomain (8.9.3/8.8.7) id MAA24418; Wed, 29 Mar 2000 12:27:15 -0800 (PST) (envelope-from brian) Date: Wed, 29 Mar 2000 12:27:15 -0800 From: "Brian O'Shea" To: Joshua Goodall Cc: Randy Bush , "Brian O'Shea" , freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <20000329122715.G330@beastie.localdomain> Mail-Followup-To: Joshua Goodall , Randy Bush , Brian O'Shea , freebsd-net@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: ; from Joshua Goodall on Wed, Mar 29, 2000 at 04:07:21PM +0200 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Mar 29, 2000 at 04:07:21PM +0200, Joshua Goodall wrote: > > > nats kindly create and generate the mappings for he attacker. > > not if you are using a raw natd like many of us might use on a home > cable-modem-connected network e.g. What is raw natd, what are the other types of natd, and what distinguishes them from one another? > > # /sbin/ifconfig fx0 inet 10.1.1.1 netmask 0xfffffe00 > # /sbin/dhclient de0 > # /sbin/natd -dynamic -n de0 > > or the rc.conf equivalent thereof. > > However, I think Randy is essentially warning that each private address > can be statically mapped to a public one, demonstrating that NAT is not > necessarily a security feature, it's a convenience. Ok, so that basically answers the question in my last post. If I understand correctly, someone on the same subnet as my router's external interface could set a static route to my internal network through my router's external interface. In other words, I am vulnerable to attack from anyone who subscribs to the same cable modem service that I do, and happens to be on the same subnet (I believe subnets are regional, so that means roughly anyone in my neighborhood). Not to mention anyone who manages to compromise one of my neighbor's systems and subsequently attack my system. > > Security comes from application-layer content filtering, thorough logging, > packet filtering, competent administration, regular sweeps, subscriptions > to bugtraq et al, and so on into the darkness. This sounds like reason enough for me to implement some packet filtering rules. Decsion made. The next question is, if my assumptions (above) are correct, is it sufficuent to only block packets from the subnet to which my external interface is connected? -brian > > - J > Thank you! This is all very good information. -brian -- Brian O'Shea boshea@ricochet.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message