From owner-freebsd-net Wed Mar 29 13:20:58 2000 Delivered-To: freebsd-net@freebsd.org Received: from hermes.avantgo.com (ws1.avantgo.com [207.214.200.194]) by hub.freebsd.org (Postfix) with ESMTP id BF9BA37B9C1 for ; Wed, 29 Mar 2000 13:19:52 -0800 (PST) (envelope-from scott@avantgo.com) Received: from river.avantgo.com (river.avantgo.com [10.0.128.30]) by hermes.avantgo.com (Postfix) with ESMTP id 2648D24; Wed, 29 Mar 2000 13:19:51 -0800 (PST) Received: (from scott@localhost) by river.avantgo.com (8.9.3/8.9.3) id NAA20656; Wed, 29 Mar 2000 13:19:45 -0800 Date: Wed, 29 Mar 2000 13:19:45 -0800 From: Scott Hess To: "Brian O'Shea" Cc: Joshua Goodall , Randy Bush , freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <20000329131945.A20455@river.avantgo.com> References: <20000329122715.G330@beastie.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3us In-Reply-To: <20000329122715.G330@beastie.localdomain> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Mar 29, 2000 at 12:27:15PM -0800, Brian O'Shea wrote: > The next question is, if my assumptions (above) are correct, is it > sufficuent to only block packets from the subnet to which my external > interface is connected? The two general classes of this problem are to allow all while denying specific ports/ips, or to deny all and allow specific ports/ips. In a hostile environment (I think cable modems qualify :-), you probably want to deny all, and only allow through the specific things that are needed. Denying everything has the added advantage of making it very clear what needs to be open. Everything that breaks has to be fixed, and then you know exactly what's going through. The downside is that you might spend three weeks without email because you denied too much :-). Later, scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message