---- Original Message ----- > From: "Doug Barton" <do...@dougbarton.us>
> On 11/13/2011 13:27, Phil Regnauld wrote: > > That's not exactly correct. NAT doesn't imply > > firewalling/filtering. > > To illustrate this to customers, I've mounted attacks/scans on > > hosts behind NAT devices, from the interconnect network immediately > > outside: if you can point a route with the ext ip of the NAT device > > as the next hop, it usually just forwards the packets... > > Have you written this up anywhere? It would be absolutely awesome to > be able to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual > demonstration of why it isn't. Accepting strict source routing from a public interface is certainly in the top 10 Worst Common Practices, is it not? (IE: I would be surprised if *any* current router actually let you do that.) Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
