On Wed, Jul 02, 2003 at 07:06:25PM -0400, Chuck Swiger wrote: [...] > By itself, NAT provides no benefit to security, and some implementations > actually reduce the security of the system compared with not running NAT. > Our natd(8) contributes to security somewhat, by providing the -deny_incoming option.
Also, by using a dedicated IP address for a NAT, and blocking
(with a firewall) all incoming packets that do not match an
already established connections (originated locally, or mapped
with static redirection rules), you secure your NAT host.
(This is even without the -deny_incoming option to natd(8).)
Here's the relevant part of the functioning firewall ruleset:
# Route to the per-interface ruleset.
${fwcmd} add skipto 1000 ip from any to any via ${iif}
${fwcmd} add skipto 2000 ip from any to any via ${oif}
...
# EXTERNAL INTERFACE RULESET
# Spoof protection.
${fwcmd} add 2000 deny ip from ${inet} to any in
...
# NAT.
${fwcmd} add divert natd ip from ${inet} to any out
${fwcmd} add divert natd ip from any to ${nat} in
${fwcmd} add deny ip from any to ${nat} in
Cheers,
--
Ruslan Ermilov Sysadmin and DBA,
[EMAIL PROTECTED] Sunbay Software Ltd,
[EMAIL PROTECTED] FreeBSD committer
pgp00000.pgp
Description: PGP signature
