Date: Wed, 29 Mar 2000 13:26:33 -0800 From: "Brian O'Shea" <boshea@ricochet.net> To: "Brian O'Shea" <boshea@ricochet.net> Cc: freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <20000329132633.H330@beastie.localdomain> In-Reply-To: <20000329122715.G330@beastie.localdomain>; from Brian O'Shea on Wed, Mar 29, 2000 at 12:27:15PM -0800 References: <E12aIaA-0001yj-00@roam.psg.com> <Pine.BSF.4.10.10003291547590.72451-100000@catatonia> <20000329122715.G330@beastie.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 29, 2000 at 12:27:15PM -0800, Brian O'Shea wrote: > > > > However, I think Randy is essentially warning that each private address > > can be statically mapped to a public one, demonstrating that NAT is not > > necessarily a security feature, it's a convenience. > > Ok, so that basically answers the question in my last post. If I > understand correctly, someone on the same subnet as my router's external > interface could set a static route to my internal network through my > router's external interface. In other words, I am vulnerable to attack > from anyone who subscribs to the same cable modem service that I do, and > happens to be on the same subnet (I believe subnets are regional, so > that means roughly anyone in my neighborhood). Not to mention anyone > who manages to compromise one of my neighbor's systems and subsequently > attack my system. > It occurs to me that the problem I described in my last post (included above) has nothing to do with NAT, but is the result of the fact that this machine is a router, and so it forwards packets between interfaces if the destination address is on a network connected to one of its interfaces. But it is still a problem. Is this correct? Thanks (and sorry for the numerous posts! I'm not usually this noisy) -brian -- Brian O'Shea boshea@ricochet.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000329132633.H330>