From owner-freebsd-security Tue Sep 21 3:45:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id E0E93152C7 for ; Tue, 21 Sep 1999 03:45:30 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.3/8.9.3) with ESMTP id MAA25723; Tue, 21 Sep 1999 12:45:29 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id MAA46248; Tue, 21 Sep 1999 12:45:28 +0200 (MET DST) Date: Tue, 21 Sep 1999 12:45:28 +0200 From: Eivind Eklund To: John Heyer Cc: security@FreeBSD.ORG Subject: Re: port-blocking ipfw rules with NAT - necesary? Message-ID: <19990921124528.I12619@bitbox.follo.net> References: <19990920162742.A12619@bitbox.follo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.1i In-Reply-To: ; from John Heyer on Mon, Sep 20, 1999 at 04:13:41PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Sep 20, 1999 at 04:13:41PM -0500, John Heyer wrote: > > In the firewall section of the handbook, it recommends something like: > - Stop IP spoofing and RFC1918 networks on the outside interface > - Deny most (if not all) UDP traffic > - Protect TCP ports 1-1024,2000,2049,6000-6063 on the internal network > > These rules make sense, but I think they make the assumption the network > you're protecting is routable. If I'm running NAT and my internal network is > non-routable, do I really need to continue blocking ports? For example, > let's say someone was running an open relay mail server or vulnerable FTP > server - would it be possible for an intruder to someone access the > internal machine assuming I'm not using -redirect_port or > -redirect_address with natd? It shouldn't be - but it is always prudent to use several layers of defense. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message