From owner-freebsd-net Tue Mar 28 11:40:38 2000 Delivered-To: freebsd-net@freebsd.org Received: from kronos.networkrichmond.com (kronos.alcnet.com [63.69.28.22]) by hub.freebsd.org (Postfix) with ESMTP id 1330237B914 for ; Tue, 28 Mar 2000 11:40:32 -0800 (PST) (envelope-from kbyanc@posi.net) X-Provider: Network Richmond, LLC. http://www.networkrichmond.com/ Received: from localhost (kbyanc@localhost) by kronos.networkrichmond.com (8.9.3/8.9.3/antispam) with ESMTP id OAA03235; Tue, 28 Mar 2000 14:40:29 -0500 (EST) Date: Tue, 28 Mar 2000 14:40:29 -0500 (EST) From: Kelly Yancey X-Sender: kbyanc@kronos.networkrichmond.com To: "Brian O'Shea" Cc: freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. In-Reply-To: <20000328113534.W330@beastie.localdomain> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 28 Mar 2000, Brian O'Shea wrote: > Hello, > > I have set up a FreeBSD 3.4-STABLE machine as a NAT router for my > home. The only service that I am running on it is SSH. Because there > is no external route to any of the machines on my internal network (I > am using one of the RFC1918 network addresses), is there any security > benefit to installing packet filtering rules? It wouldn't be much > trouble for me to do so, but I'm wondering if it is necessary. > NAT will effectively protect the boxes on your network. It's the router you need to worry about (since it is the only box on the public Internet). You say you are only running SSH on it, so it sounds like you have locked that box down but good. Depending on how paranoid you are, you might still want to put packet filter rules just for protecting your router. Kelly -- Kelly Yancey - kbyanc@posi.net - Richmond, VA Analyst / E-business Development, Bell Industries http://www.bellind.com/ Maintainer, BSD Driver Database http://www.posi.net/freebsd/drivers/ Coordinator, Team FreeBSD http://www.posi.net/freebsd/Team-FreeBSD/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message