From owner-freebsd-net Wed Mar 29 13:17:56 2000 Delivered-To: freebsd-net@freebsd.org Received: from mail.rdc1.sfba.home.com (ha1.rdc1.sfba.home.com [24.0.0.66]) by hub.freebsd.org (Postfix) with ESMTP id 2182D37BBFE for ; Wed, 29 Mar 2000 13:17:24 -0800 (PST) (envelope-from boshea@ricochet.net) Received: from beastie.localdomain ([24.19.158.41]) by mail.rdc1.sfba.home.com (InterMail v4.01.01.00 201-229-111) with ESMTP id <20000329211722.OCOX13305.mail.rdc1.sfba.home.com@beastie.localdomain>; Wed, 29 Mar 2000 13:17:22 -0800 Received: (from brian@localhost) by beastie.localdomain (8.9.3/8.8.7) id NAA24483; Wed, 29 Mar 2000 13:26:33 -0800 (PST) (envelope-from brian) Date: Wed, 29 Mar 2000 13:26:33 -0800 From: "Brian O'Shea" To: "Brian O'Shea" Cc: freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <20000329132633.H330@beastie.localdomain> Mail-Followup-To: Brian O'Shea , freebsd-net@FreeBSD.ORG References: <20000329122715.G330@beastie.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <20000329122715.G330@beastie.localdomain>; from Brian O'Shea on Wed, Mar 29, 2000 at 12:27:15PM -0800 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Mar 29, 2000 at 12:27:15PM -0800, Brian O'Shea wrote: > > > > However, I think Randy is essentially warning that each private address > > can be statically mapped to a public one, demonstrating that NAT is not > > necessarily a security feature, it's a convenience. > > Ok, so that basically answers the question in my last post. If I > understand correctly, someone on the same subnet as my router's external > interface could set a static route to my internal network through my > router's external interface. In other words, I am vulnerable to attack > from anyone who subscribs to the same cable modem service that I do, and > happens to be on the same subnet (I believe subnets are regional, so > that means roughly anyone in my neighborhood). Not to mention anyone > who manages to compromise one of my neighbor's systems and subsequently > attack my system. > It occurs to me that the problem I described in my last post (included above) has nothing to do with NAT, but is the result of the fact that this machine is a router, and so it forwards packets between interfaces if the destination address is on a network connected to one of its interfaces. But it is still a problem. Is this correct? Thanks (and sorry for the numerous posts! I'm not usually this noisy) -brian -- Brian O'Shea boshea@ricochet.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message