Date: Fri, 31 Mar 2000 12:14:36 +0100 From: Brian Somers <brian@Awfulhak.org> To: "Brian O'Shea" <boshea@ricochet.net> Cc: Joshua Goodall <joshua@roughtrade.net>, Randy Bush <randy@psg.com>, freebsd-net@FreeBSD.ORG, brian@hak.lan.Awfulhak.org Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <200003311114.MAA01613@hak.lan.Awfulhak.org> In-Reply-To: Message from "Brian O'Shea" <boshea@ricochet.net> of "Wed, 29 Mar 2000 12:27:15 -0800." <20000329122715.G330@beastie.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
> > However, I think Randy is essentially warning that each private address
> > can be statically mapped to a public one, demonstrating that NAT is not
> > necessarily a security feature, it's a convenience.
>
> Ok, so that basically answers the question in my last post. If I
> understand correctly, someone on the same subnet as my router's external
> interface could set a static route to my internal network through my
> router's external interface. In other words, I am vulnerable to attack
> from anyone who subscribs to the same cable modem service that I do, and
> happens to be on the same subnet (I believe subnets are regional, so
> that means roughly anyone in my neighborhood). Not to mention anyone
> who manages to compromise one of my neighbor's systems and subsequently
> attack my system.
Hmm, there's a PacketAliasSetTarget() function in libalias that will
direct all incoming connections to a given IP number irrespective of
their destination address. Unfortunately, it's not used by either
ppp or natd.
I think I'll add a ``nat target'' command to ppp.
--
Brian <brian@Awfulhak.org> <brian@[uk.]FreeBSD.org>
<http://www.Awfulhak.org>; <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200003311114.MAA01613>