Date: Tue, 28 Mar 2000 13:54:01 -0800 From: Scott Hess <scott@avantgo.com> To: "Brian O'Shea" <boshea@ricochet.net> Cc: Kelly Yancey <kbyanc@posi.net>, freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <20000328135401.A17746@river.avantgo.com> In-Reply-To: <20000328130850.Z330@beastie.localdomain> References: <20000328113534.W330@beastie.localdomain> <Pine.BSF.4.05.10003281436440.3162-100000@kronos.networkrichmond.com> <20000328130850.Z330@beastie.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 28, 2000 at 01:08:50PM -0800, Brian O'Shea wrote: > Thank you for your response. This is what I thought, although I > should have clarified my question. I was wondering if there is any > added security to having packet filtering rules on the router, in > addition to NAT. Since there are no services to exploit (ignoring > sshd for the moment), what rules would I add? If there are no > services running, then there is no need to block any ports. But are > there other types of vulnerabilities that I should be worried about? You could tell the packet filter to only allow packets to the ssh port. Sounds redundant, but it certainly does prevent you from accidentally opening up a hole at some point. You might want to log packets, on the off chance that someone is doing something interesting. You might want to adjust whether non-ssh packets are rejected, or simply dropped on the floor. Rejecting the packet gives an immediate "Connection denied" response to probes, whereas dropping the packet just leaves the probe high&dry. Later, scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000328135401.A17746>