Date: Sun, 27 Feb 2005 18:57:41 -0500 From: Chuck Swiger <cswiger@mac.com> To: Stevan Tiefert <stevan@rot-1.de> Cc: freebsd-questions@freebsd.org Subject: Re: security without NAT? Message-ID: <42225E75.6040102@mac.com> In-Reply-To: <20050227223559.I11345@mail.rot-1.de> References: <20050227223559.I11345@mail.rot-1.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Stevan Tiefert wrote: [ ... ] > I understand that if these workstations wants to request answers from > outside the private network are never getting answers, but is it possible > to see and attack theses workstations from outside? If you avoid configuring a default route on the local machines, and require them to access any remote services via a subnet-local proxy on this gateway, it will help security significantly. However, you need to take a great deal of care with the gateway machine even if you disable NAT on it, for reasons someone else just mentioned. Also, and in particular, you need to block the loose and strict source-routing IP option via a firewall, or else someone who knows what they are doing can still get traffic into your local subnet. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42225E75.6040102>
