Date: Wed, 29 Mar 2000 16:07:21 +0200 (CEST) From: Joshua Goodall <joshua@roughtrade.net> To: Randy Bush <randy@psg.com> Cc: "Brian O'Shea" <boshea@ricochet.net>, freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <Pine.BSF.4.10.10003291547590.72451-100000@catatonia> In-Reply-To: <E12aIaA-0001yj-00@roam.psg.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> nats kindly create and generate the mappings for he attacker. not if you are using a raw natd like many of us might use on a home cable-modem-connected network e.g. # /sbin/ifconfig fx0 inet 10.1.1.1 netmask 0xfffffe00 # /sbin/dhclient de0 # /sbin/natd -dynamic -n de0 or the rc.conf equivalent thereof. However, I think Randy is essentially warning that each private address can be statically mapped to a public one, demonstrating that NAT is not necessarily a security feature, it's a convenience. Security comes from application-layer content filtering, thorough logging, packet filtering, competent administration, regular sweeps, subscriptions to bugtraq et al, and so on into the darkness. - J To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10003291547590.72451-100000>