From owner-freebsd-security Mon Sep 20 14:26:15 1999 Delivered-To: freebsd-security@freebsd.org Received: from snake.supranet.net (snake.supranet.net [205.164.160.19]) by hub.freebsd.org (Postfix) with ESMTP id A88C315491 for ; Mon, 20 Sep 1999 14:26:02 -0700 (PDT) (envelope-from john@arnie.jfive.com) Received: from snake.supranet.net (snake.supranet.net [205.164.160.19]) by snake.supranet.net (8.8.8/8.8.8) with SMTP id QAA03834 for ; Mon, 20 Sep 1999 16:13:41 -0500 (CDT) (envelope-from john@arnie.jfive.com) Date: Mon, 20 Sep 1999 16:13:41 -0500 (CDT) From: John Heyer X-Sender: john@snake.supranet.net To: security@FreeBSD.ORG Subject: port-blocking ipfw rules with NAT - necesary? In-Reply-To: <19990920162742.A12619@bitbox.follo.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In the firewall section of the handbook, it recommends something like: - Stop IP spoofing and RFC1918 networks on the outside interface - Deny most (if not all) UDP traffic - Protect TCP ports 1-1024,2000,2049,6000-6063 on the internal network These rules make sense, but I think they make the assumption the network you're protecting is routable. If I'm running NAT and my internal network is non-routable, do I really need to continue blocking ports? For example, let's say someone was running an open relay mail server or vulnerable FTP server - would it be possible for an intruder to someone access the internal machine assuming I'm not using -redirect_port or -redirect_address with natd? -- "Your illogical approach ... does have its advantages." -- Spock, after being Checkmated by Kirk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message