Date: Mon, 20 Sep 1999 16:13:41 -0500 (CDT) From: John Heyer <john@arnie.jfive.com> To: security@FreeBSD.ORG Subject: port-blocking ipfw rules with NAT - necesary? Message-ID: <Pine.BSF.3.96.990920154858.3314A-100000@snake.supranet.net> In-Reply-To: <19990920162742.A12619@bitbox.follo.net>
index | next in thread | previous in thread | raw e-mail
In the firewall section of the handbook, it recommends something like: - Stop IP spoofing and RFC1918 networks on the outside interface - Deny most (if not all) UDP traffic - Protect TCP ports 1-1024,2000,2049,6000-6063 on the internal network These rules make sense, but I think they make the assumption the network you're protecting is routable. If I'm running NAT and my internal network is non-routable, do I really need to continue blocking ports? For example, let's say someone was running an open relay mail server or vulnerable FTP server - would it be possible for an intruder to someone access the internal machine assuming I'm not using -redirect_port or -redirect_address with natd? -- "Your illogical approach ... does have its advantages." -- Spock, after being Checkmated by Kirk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the messagehelp
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990920154858.3314A-100000>