From owner-freebsd-net  Tue Mar 28 15: 9:45 2000
Delivered-To: freebsd-net@freebsd.org
Received: from mail.rdc1.sfba.home.com (ha1.rdc1.sfba.home.com [24.0.0.66])
	by hub.freebsd.org (Postfix) with ESMTP id 7B73B37B651
	for <freebsd-net@FreeBSD.ORG>; Tue, 28 Mar 2000 15:09:42 -0800 (PST)
	(envelope-from boshea@ricochet.net)
Received: from beastie.localdomain ([24.19.158.41])
          by mail.rdc1.sfba.home.com (InterMail v4.01.01.00 201-229-111)
          with ESMTP
          id <20000328230941.LCLF5721.mail.rdc1.sfba.home.com@beastie.localdomain>;
          Tue, 28 Mar 2000 15:09:41 -0800
Received: (from brian@localhost)
	by beastie.localdomain (8.9.3/8.8.7) id PAA22410;
	Tue, 28 Mar 2000 15:18:49 -0800 (PST)
	(envelope-from brian)
Date: Tue, 28 Mar 2000 15:18:49 -0800
From: "Brian O'Shea" <boshea@ricochet.net>
To: Scott Hess <scott@avantgo.com>
Cc: freebsd-net@FreeBSD.ORG
Subject: Re: Security of NAT "firewall" vs. packet filtering firewall.
Message-ID: <20000328151849.C330@beastie.localdomain>
Mail-Followup-To: Scott Hess <scott@avantgo.com>, freebsd-net@FreeBSD.ORG
References: <20000328113534.W330@beastie.localdomain> <Pine.BSF.4.05.10003281436440.3162-100000@kronos.networkrichmond.com> <20000328130850.Z330@beastie.localdomain> <20000328135401.A17746@river.avantgo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.4i
In-Reply-To: <20000328135401.A17746@river.avantgo.com>; from Scott Hess on Tue, Mar 28, 2000 at 01:54:01PM -0800
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, Mar 28, 2000 at 01:54:01PM -0800, Scott Hess wrote:
> 
> You could tell the packet filter to only allow packets to the
> ssh port.  Sounds redundant, but it certainly does prevent you
> from accidentally opening up a hole at some point.

True.

> 
> You might want to log packets, on the off chance that someone is
> doing something interesting.

Hmm, this could be interesting.

> 
> You might want to adjust whether non-ssh packets are rejected, or
> simply dropped on the floor.  Rejecting the packet gives an immediate
> "Connection denied" response to probes, whereas dropping the packet
> just leaves the probe high&dry.

That's a good idea, I'll have to check it out.  I assume you mean the
"deny" and "reject" (now "unreach") actions mentioned in the ipfw(8)
man page.

Thanks a lot!
-brian

-- 
Brian O'Shea
boshea@ricochet.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message