port-blocking ipfw rules with NAT - necesary?

John Heyer (johnarnie.jfive.com)
Mon, 20 Sep 1999 16:13:41 -0500 (CDT)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Wes Peters: "Re: Out of mbuf clusters"
• Previous message: Dag-Erling Smorgrav: "Re: MD5 vs. DES"
• In reply to: skalir scalar: "MD5 vs. DES"
• Next in thread: Eivind Eklund: "Re: port-blocking ipfw rules with NAT - necesary?"
• Next in thread: Brian Somers: "Re: Best way to do FTP with NAT and firewall?"
• Reply: Eivind Eklund: "Re: port-blocking ipfw rules with NAT - necesary?"

In the firewall section of the handbook, it recommends something like:
- Stop IP spoofing and RFC1918 networks on the outside interface
- Deny most (if not all) UDP traffic
- Protect TCP ports 1-1024,2000,2049,6000-6063 on the internal network

These rules make sense, but I think they make the assumption the network
you're protecting is routable. If I'm running NAT and my internal network is
non-routable, do I really need to continue blocking ports? For example,
let's say someone was running an open relay mail server or vulnerable FTP
server - would it be possible for an intruder to someone access the
internal machine assuming I'm not using -redirect_port or
-redirect_address with natd?

--
"Your illogical approach ... does have its advantages."
				-- Spock, after being Checkmated by Kirk
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Next message: Wes Peters: "Re: Out of mbuf clusters"
• Previous message: Dag-Erling Smorgrav: "Re: MD5 vs. DES"
• In reply to: skalir scalar: "MD5 vs. DES"
• Next in thread: Eivind Eklund: "Re: port-blocking ipfw rules with NAT - necesary?"
• Next in thread: Brian Somers: "Re: Best way to do FTP with NAT and firewall?"
• Reply: Eivind Eklund: "Re: port-blocking ipfw rules with NAT - necesary?"

This archive was generated by hypermail 2.0b3 on Mon Sep 20 1999 - 16:25:41 CDT