Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 29 Mar 2000 12:27:15 -0800
From:      "Brian O'Shea" <boshea@ricochet.net>
To:        Joshua Goodall <joshua@roughtrade.net>
Cc:        Randy Bush <randy@psg.com>, "Brian O'Shea" <boshea@ricochet.net>, freebsd-net@FreeBSD.ORG
Subject:   Re: Security of NAT "firewall" vs. packet filtering firewall.
Message-ID:  <20000329122715.G330@beastie.localdomain>
In-Reply-To: <Pine.BSF.4.10.10003291547590.72451-100000@catatonia>; from Joshua Goodall on Wed, Mar 29, 2000 at 04:07:21PM %2B0200
References:  <E12aIaA-0001yj-00@roam.psg.com> <Pine.BSF.4.10.10003291547590.72451-100000@catatonia>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 29, 2000 at 04:07:21PM +0200, Joshua Goodall wrote:
> 
> > nats kindly create and generate the mappings for he attacker.
> 
> not if you are using a raw natd like many of us might use on a home
> cable-modem-connected network e.g.

What is raw natd, what are the other types of natd, and what
distinguishes them from one another?

> 
> # /sbin/ifconfig fx0 inet 10.1.1.1 netmask 0xfffffe00
> # /sbin/dhclient de0
> # /sbin/natd -dynamic -n de0
> 
> or the rc.conf equivalent thereof.
> 
> However, I think Randy is essentially warning that each private address
> can be statically mapped to a public one, demonstrating that NAT is not
> necessarily a security feature, it's a convenience.

Ok, so that basically answers the question in my last post.  If I
understand correctly, someone on the same subnet as my router's external
interface could set a static route to my internal network through my
router's external interface.  In other words, I am vulnerable to attack
from anyone who subscribs to the same cable modem service that I do, and
happens to be on the same subnet (I believe subnets are regional, so
that means roughly anyone in my neighborhood).  Not to mention anyone
who manages to compromise one of my neighbor's systems and subsequently
attack my system.

> 
> Security comes from application-layer content filtering, thorough logging,
> packet filtering, competent administration, regular sweeps, subscriptions
> to bugtraq et al, and so on into the darkness.

This sounds like reason enough for me to implement some packet filtering
rules.  Decsion made.

The next question is, if my assumptions (above) are correct, is it
sufficuent to only block packets from the subnet to which my external
interface is connected?

-brian

> 
> - J
> 

Thank you!  This is all very good information.
-brian

-- 
Brian O'Shea
boshea@ricochet.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000329122715.G330>