Date: Wed, 12 Apr 2000 14:29:52 -0700 From: Paul Mielke <paulm@securify.com> To: Ron Smith <ronnet@mediaone.net>, FreeBSD Security <freebsd-security@FreeBSD.ORG> Subject: Re: (no subject) Message-ID: <4.2.0.58.20000412141035.00a06470@localhost> In-Reply-To: <38F2880D.473F8F8D@mediaone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 03:03 AM 4/11/00 +0100, Ron Smith wrote: >Thanks to all, > >I have a dual-homed gateway running FreeBSD. The internal LAN (NIC) is >class "C" (192.168.c.d). The external NIC has been assigned a static IP >address from the ISP (63.203.c.d). I'm running NAT, and would like to >know if this will provide enough protection for the internal LAN? I also >have a firewall compiled into the kernel, but the rules prevent NAT from >working whenever the firewall is in any other state except allowing "any >to any". When the firewall is using "open" rules (allowing any to any) >is NAT still providing protection to the internal network? If not, does >anyone have any additional suggestions? > >TIA >Ron Smith Hi, Ron. Just running NAT in the configuration that you describe should provide pretty good protection for the hosts on your internal net in that someone coming in from outside has no way to address any of your internal hosts (since the 192.168.x.x addresses are not routable). The external interface of your firewall box, however, gets no protection from this. If one simply runs no services on the firewall box, then that may not be an issue. In my case, I want to use my firewall for other things than being a firewall, so I want to run services for the use of other hosts on my internal net. If that is your situation, then you'll probably want to get either ipfw or ipfilter working. One other thing to consider is that turning off TCP services doesn't protect you against ICMP and UDP based attacks on your external interface. Unless your ISP has really good filters in place, you're probably better off running ipfw or ipfilter in addition to NAT. NAT and IPFW can coexist just fine. Take a look at the 'simple' firewall mode code in /etc/rc.firewall. You just have to be conscious when you write your firewall rules that you're seeing the packets after they've been through NAT on the external interface, meaning that, e.g., packets originating from 192.168.x.x hosts on your internal net will have source addresses equal to the IP address of your external NIC. I've got a NAT + IPFW config running in a situation very similar to yours and it works great. Start with rc.firewall and play around with the rules to get the effect that you want. The easiest way to figure out what's going on is to turn on logging on all your rules and use the log messages to understand what your rules are doing. Regards, Paul Paul Mielke paulm@alumni.stanford.org Securify, Inc. 650-812-9400 x4118 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.20000412141035.00a06470>