From owner-freebsd-net  Fri Mar 31  3:14:51 2000
Delivered-To: freebsd-net@freebsd.org
Received: from storm.FreeBSD.org.uk (storm.freebsd.org.uk [194.242.139.170])
	by hub.freebsd.org (Postfix) with ESMTP id 7956737BD8D
	for <freebsd-net@FreeBSD.ORG>; Fri, 31 Mar 2000 03:14:47 -0800 (PST)
	(envelope-from brian@Awfulhak.org)
Received: from hak.lan.Awfulhak.org (hak.nat.Awfulhak.org [172.31.0.12])
	by storm.FreeBSD.org.uk (8.9.3/8.9.3) with ESMTP id MAA10679;
	Fri, 31 Mar 2000 12:14:38 +0100 (BST)
	(envelope-from brian@Awfulhak.org)
Received: from hak.lan.Awfulhak.org (localhost [127.0.0.1])
	by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id MAA01613;
	Fri, 31 Mar 2000 12:14:36 +0100 (BST)
	(envelope-from brian@hak.lan.Awfulhak.org)
Message-Id: <200003311114.MAA01613@hak.lan.Awfulhak.org>
X-Mailer: exmh version 2.1.1 10/15/1999
To: "Brian O'Shea" <boshea@ricochet.net>
Cc: Joshua Goodall <joshua@roughtrade.net>,
	Randy Bush <randy@psg.com>, freebsd-net@FreeBSD.ORG,
	brian@hak.lan.Awfulhak.org
Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. 
In-Reply-To: Message from "Brian O'Shea" <boshea@ricochet.net> 
   of "Wed, 29 Mar 2000 12:27:15 -0800." <20000329122715.G330@beastie.localdomain> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 31 Mar 2000 12:14:36 +0100
From: Brian Somers <brian@Awfulhak.org>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> > However, I think Randy is essentially warning that each private address
> > can be statically mapped to a public one, demonstrating that NAT is not
> > necessarily a security feature, it's a convenience.
> 
> Ok, so that basically answers the question in my last post.  If I
> understand correctly, someone on the same subnet as my router's external
> interface could set a static route to my internal network through my
> router's external interface.  In other words, I am vulnerable to attack
> from anyone who subscribs to the same cable modem service that I do, and
> happens to be on the same subnet (I believe subnets are regional, so
> that means roughly anyone in my neighborhood).  Not to mention anyone
> who manages to compromise one of my neighbor's systems and subsequently
> attack my system.

Hmm, there's a PacketAliasSetTarget() function in libalias that will 
direct all incoming connections to a given IP number irrespective of 
their destination address.  Unfortunately, it's not used by either 
ppp or natd.

I think I'll add a ``nat target'' command to ppp.
-- 
Brian <brian@Awfulhak.org>                        <brian@[uk.]FreeBSD.org>
      <http://www.Awfulhak.org>                   <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message