From owner-freebsd-net  Tue Mar 28 12:59:44 2000
Delivered-To: freebsd-net@freebsd.org
Received: from mail.rdc1.sfba.home.com (ha1.rdc1.sfba.home.com [24.0.0.66])
	by hub.freebsd.org (Postfix) with ESMTP id 5350037BAC3
	for <freebsd-net@FreeBSD.ORG>; Tue, 28 Mar 2000 12:59:42 -0800 (PST)
	(envelope-from boshea@ricochet.net)
Received: from beastie.localdomain ([24.19.158.41])
          by mail.rdc1.sfba.home.com (InterMail v4.01.01.00 201-229-111)
          with ESMTP
          id <20000328205942.HPTT5721.mail.rdc1.sfba.home.com@beastie.localdomain>;
          Tue, 28 Mar 2000 12:59:42 -0800
Received: (from brian@localhost)
	by beastie.localdomain (8.9.3/8.8.7) id NAA22163;
	Tue, 28 Mar 2000 13:08:50 -0800 (PST)
	(envelope-from brian)
Date: Tue, 28 Mar 2000 13:08:50 -0800
From: "Brian O'Shea" <boshea@ricochet.net>
To: Kelly Yancey <kbyanc@posi.net>
Cc: "Brian O'Shea" <boshea@ricochet.net>, freebsd-net@FreeBSD.ORG
Subject: Re: Security of NAT "firewall" vs. packet filtering firewall.
Message-ID: <20000328130850.Z330@beastie.localdomain>
Mail-Followup-To: Kelly Yancey <kbyanc@posi.net>,
	Brian O'Shea <boshea@ricochet.net>, freebsd-net@FreeBSD.ORG
References: <20000328113534.W330@beastie.localdomain> <Pine.BSF.4.05.10003281436440.3162-100000@kronos.networkrichmond.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.4i
In-Reply-To: <Pine.BSF.4.05.10003281436440.3162-100000@kronos.networkrichmond.com>; from Kelly Yancey on Tue, Mar 28, 2000 at 02:40:29PM -0500
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, Mar 28, 2000 at 02:40:29PM -0500, Kelly Yancey wrote:
> 
>   NAT will effectively protect the boxes on your network. It's the router
> you need to worry about (since it is the only box on the public Internet).
> You say you are only running SSH on it, so it sounds like you have locked
> that box down but good. Depending on how paranoid you are, you might still 
> want to put packet filter rules just for protecting your router.
> 
>   Kelly
> 

Thank you for your response.  This is what I thought, although I
should have clarified my question.  I was wondering if there is any
added security to having packet filtering rules on the router, in
addition to NAT.  Since there are no services to exploit (ignoring
sshd for the moment), what rules would I add?  If there are no
services running, then there is no need to block any ports.  But are
there other types of vulnerabilities that I should be worried about?

Thanks,
-brian

p.s.  I have considered limiting access to the sshd port to only
certian authorized networks, but this is only a minor obstacle at
best (especially considering the networks to which I would have to
grant access).

-- 
Brian O'Shea
boshea@ricochet.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message