Mike Silbersack wrote: [ ... ]
Please explain this point more.
Say I have 1000 win 9x boxes connected to the internet with routable IPs and no firewall. How will placing them behind a NAT box make them less secure?
"man natd" suggests that you've just enabled IP spoofing for the LAN:
You should be aware of the fact that, with these firewall settings,
everyone on your local network can fake his source-address using
your host as gateway. If there are other hosts on your local net-
work, you are strongly encouraged to create firewall rules that only
allow traffic to and from trusted hosts.People using NAT tend to permit arbitrary outbound connections from clients rather than, for example, mandating that all permitted client connections go through a designated and monitored proxy. The placement of the divert rule early on tends to circumvent egress filtering.
However, I would suggest that my point has less to do with whether NAT can reduce the security of a completely open network with no firewall any further (although there are ways that it could), and more to do with whether the combination of firewall+NAT is particularly safe and secure compared with firewall-without-NAT. At the very least, using NAT on the firewall increases the scope and potential of denial-of-service attacks to exhaust kernel memory or sockets (if use_sockets is set).
-- -Chuck
PS: But I also saw comments from Ruslan and Dean, and I'm willing to let this issue lapse rather than prolong a debate that people don't think is on-topic.
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "[EMAIL PROTECTED]"
