From owner-freebsd-net  Tue Mar 28 13:54:21 2000
Delivered-To: freebsd-net@freebsd.org
Received: from hermes.avantgo.com (ws1.avantgo.com [207.214.200.194])
	by hub.freebsd.org (Postfix) with ESMTP id 614D037BDAE
	for <freebsd-net@FreeBSD.ORG>; Tue, 28 Mar 2000 13:54:09 -0800 (PST)
	(envelope-from scott@avantgo.com)
Received: from river.avantgo.com (river.avantgo.com [10.0.128.30])
	by hermes.avantgo.com (Postfix) with ESMTP
	id 4CAA8F; Tue, 28 Mar 2000 13:54:08 -0800 (PST)
Received: (from scott@localhost)
	by river.avantgo.com (8.9.3/8.9.3) id NAA17760;
	Tue, 28 Mar 2000 13:54:01 -0800
Date: Tue, 28 Mar 2000 13:54:01 -0800
From: Scott Hess <scott@avantgo.com>
To: "Brian O'Shea" <boshea@ricochet.net>
Cc: Kelly Yancey <kbyanc@posi.net>, freebsd-net@FreeBSD.ORG
Subject: Re: Security of NAT "firewall" vs. packet filtering firewall.
Message-ID: <20000328135401.A17746@river.avantgo.com>
References: <20000328113534.W330@beastie.localdomain> <Pine.BSF.4.05.10003281436440.3162-100000@kronos.networkrichmond.com> <20000328130850.Z330@beastie.localdomain>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0pre3us
In-Reply-To: <20000328130850.Z330@beastie.localdomain>
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, Mar 28, 2000 at 01:08:50PM -0800, Brian O'Shea wrote:
> Thank you for your response.  This is what I thought, although I
> should have clarified my question.  I was wondering if there is any
> added security to having packet filtering rules on the router, in
> addition to NAT.  Since there are no services to exploit (ignoring
> sshd for the moment), what rules would I add?  If there are no
> services running, then there is no need to block any ports.  But are
> there other types of vulnerabilities that I should be worried about?

You could tell the packet filter to only allow packets to the
ssh port.  Sounds redundant, but it certainly does prevent you
from accidentally opening up a hole at some point.

You might want to log packets, on the off chance that someone is
doing something interesting.

You might want to adjust whether non-ssh packets are rejected, or
simply dropped on the floor.  Rejecting the packet gives an immediate
"Connection denied" response to probes, whereas dropping the packet
just leaves the probe high&dry.

Later,
scott


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message