Date: Wed, 02 Jul 2003 21:05:02 -0400 From: Chuck Swiger <cswiger@mac.com> Cc: freebsd-net@freebsd.org Subject: Re: Performance improvement for NAT in IPFIREWALL Message-ID: <3F03813E.9020407@mac.com> In-Reply-To: <20030702212709.M1913@odysseus.silby.com> References: <3F0316DE.3040301@tenebras.com> <20030702183838.GB4179@pit.databus.com> <3F0327FE.3030609@tenebras.com> <3F0331EE.6020707@mac.com> <3F0350C7.7010009@tenebras.com> <3F036571.8030609@mac.com> <20030702212709.M1913@odysseus.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Silbersack wrote:
[ ... ]
> Please explain this point more.
>
> Say I have 1000 win 9x boxes connected to the internet with routable IPs
> and no firewall. How will placing them behind a NAT box make them less
> secure?
"man natd" suggests that you've just enabled IP spoofing for the LAN:
You should be aware of the fact that, with these firewall settings,
everyone on your local network can fake his source-address using
your host as gateway. If there are other hosts on your local net-
work, you are strongly encouraged to create firewall rules that only
allow traffic to and from trusted hosts.
People using NAT tend to permit arbitrary outbound connections from clients
rather than, for example, mandating that all permitted client connections go
through a designated and monitored proxy. The placement of the divert rule
early on tends to circumvent egress filtering.
However, I would suggest that my point has less to do with whether NAT can
reduce the security of a completely open network with no firewall any further
(although there are ways that it could), and more to do with whether the
combination of firewall+NAT is particularly safe and secure compared with
firewall-without-NAT. At the very least, using NAT on the firewall increases
the scope and potential of denial-of-service attacks to exhaust kernel memory or
sockets (if use_sockets is set).
--
-Chuck
PS: But I also saw comments from Ruslan and Dean, and I'm willing to let this
issue lapse rather than prolong a debate that people don't think is on-topic.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F03813E.9020407>