On Wed, Mar 30, 2011 at 02:08:22PM -0400, Derek J. Balling spake thusly: > Unroutable addresses like RFC1918-space don't suddenly manage to be > routable across the world to my servers. It takes a MUCH more heinous > misconfiguration (static NATs, port-forwarding, etc.) for a > misconfigured NAT to open a server up to attack.
Isn't this just about making your default forward policy be to drop the packet? We'll all learn that this is THE thing to check. Then it will be done. Every firewall software that I have seen sets it up this way by default. And we can throw away years of baggage and convoluted NAT workarounds which could arguably hurt our security even more due to added complexity and firewall hole punching techniques. [root@fw1 ~]# /sbin/iptables -L -n|grep FORWARD Chain FORWARD (policy DROP) I'm good to go. Never, not once in my 17 year career managing firewalls, have I found that a misconfigured firewall was accidentally forwarding. Have you? The fact that you had RFC1918 address space behind it shouldn't matter in answering the question: WOULD it have ever forwarded if you had routable IPs behind it? Did RFC1918 ever really save you? And if not, why hold onto it? -- Tracy Reed
pgpHkcbDxjph1.pgp
Description: PGP signature
_______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
