From owner-freebsd-security  Wed Sep 22 12:23:29 1999
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP
	id C8C7114C9A; Wed, 22 Sep 1999 12:23:23 -0700 (PDT)
	(envelope-from Cy.Schubert@uumail.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id MAA30037;
	Wed, 22 Sep 1999 12:23:21 -0700
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda30035; Wed Sep 22 12:23:12 1999
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.9.3/8.9.1) id MAA05400;
	Wed, 22 Sep 1999 12:23:11 -0700 (PDT)
Message-Id: <199909221923.MAA05400@passer.osg.gov.bc.ca>
Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca"
 via SMTP by localhost.osg.gov.bc.ca, id smtpddM5393; Wed Sep 22 12:22:22 1999
X-Mailer: exmh version 2.0.2 2/24/98
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-OS: FreeBSD 3.3-RELEASE
X-Sender: cy
To: Eivind Eklund <eivind@FreeBSD.ORG>
Cc: John Heyer <john@arnie.jfive.com>, security@FreeBSD.ORG
Subject: Re: port-blocking ipfw rules with NAT - necesary? 
In-reply-to: Your message of "Tue, 21 Sep 1999 12:45:28 +0200."
             <19990921124528.I12619@bitbox.follo.net> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 22 Sep 1999 12:22:22 -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <19990921124528.I12619@bitbox.follo.net>, Eivind Eklund 
writes:
> On Mon, Sep 20, 1999 at 04:13:41PM -0500, John Heyer wrote:
> > 
> > In the firewall section of the handbook, it recommends something like:
> > - Stop IP spoofing and  RFC1918 networks on the outside interface
> > - Deny most (if not all) UDP traffic
> > - Protect TCP ports 1-1024,2000,2049,6000-6063 on the internal network
> > 
> > These rules make sense, but I think they make the assumption the network
> > you're protecting is routable.  If I'm running NAT and my internal network 
> is 
> > non-routable, do I really need to continue blocking ports?  For example,
> > let's say someone was running an open relay mail server or vulnerable FTP
> > server - would it be possible for an intruder to someone access the
> > internal machine assuming I'm not using -redirect_port or
> > -redirect_address with natd?
> 
> It shouldn't be - but it is always prudent to use several layers of
> defense.

How true.  A few years ago I was able to access (ping, traceroute) 
someone's RFC1918 network.  More recently a leak, due to a 
misconfigured router, of some ARPA addresses were blocked by my 
firewall.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Open Systems Group          Internet:  Cy.Schubert@uumail.gov.bc.ca
ITSD                                   Cy.Schubert@gems8.gov.bc.ca
Province of BC
                      "e**(i*pi)+1=0"





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message