Date: Tue, 13 Nov 2001 20:27:33 +0100 From: Walter Hop <walter@binity.com> To: krzysztof <cs052279@yahoo.com> Cc: freebsd-questions@freebsd.org Subject: Re: NAT security Message-ID: <14313926955.20011113202733@binity.com> In-Reply-To: <20011113173728.32722.qmail@web14801.mail.yahoo.com> References: <20011113173728.32722.qmail@web14801.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[in reply to cs052279@yahoo.com, 13-11-2001]
> Could I just set my machine as a gateway, use IPFilter and not have my
> machine do NAT? Would this be possible to do with multiple machines
> behind my firewall or do I need translation? Does having a real IP
> address as opposed to a NATed address pose any great threats?
Hi,
NAT is short for Network Address Translation, this is what ``natd'' does.
The most common use of natd is to share one Internet IP address with lots
of machines ("IP masquerading"). Machines on your home network talk to
the gateway and the gateway "rewrites" packets, so on the Internet it
looks like there is only one system talking, while the machines inside
think they have a direct connection.
This is useful when you have only *one* Internet IP address assigned to
you by your ISP (this is mostly the case), so you can surf the net with
all the computers on your home network. Because your boxes on the LAN
have a private address, they are not reachable from the Internet (except
for connections they have opened themselves). This is a nice layer of
security to begin with.
If you have been so lucky as to be assigned multiple Internet IP
addresses by your provider, you have the choice of using NAT or giving
each of your systems a real Internet IP address. In that case, you should
always set up firewalling rules on the gateway. Good firewall rules would
protect your systems from being reached from the Internet as well, so
your network would not be more vulnerable than it would be with NAT.
In short: NAT-ing your home network from the world is not meant as a
security measure in itself. In either case you need to set up additional
firewall rules to fully protect your network!
--
Walter Hop <walter@binity.com>
Updated contact information: http://www.binity.com/~walter/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14313926955.20011113202733>