From owner-freebsd-questions@FreeBSD.ORG  Wed Jan 21 08:48:39 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C393A16A4CE
	for <freebsd-questions@FreeBSD.ORG>;
	Wed, 21 Jan 2004 08:48:39 -0800 (PST)
Received: from smtp-out8.blueyonder.co.uk (smtp-out8.blueyonder.co.uk
	[195.188.213.11])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2740043D2D
	for <freebsd-questions@FreeBSD.ORG>;
	Wed, 21 Jan 2004 08:48:37 -0800 (PST)
	(envelope-from xfb52@dial.pipex.com)
Received: from dial.pipex.com ([82.41.37.129]) by smtp-out8.blueyonder.co.uk
	with Microsoft SMTPSVC(5.0.2195.5600);
	Wed, 21 Jan 2004 16:48:57 +0000
Message-ID: <400EAD64.9000700@dial.pipex.com>
Date: Wed, 21 Jan 2004 16:48:36 +0000
From: Alex Zbyslaw <xfb52@dial.pipex.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6b) Gecko/20040105
X-Accept-Language: en, en-us
MIME-Version: 1.0
To: freebsd-questions@FreeBSD.ORG
References: <MIEPLLIBMLEEABPDBIEGIEGCFFAA.fbsd_user@a1poweruser.com>
	<034301c3dfe4$e336c1e0$0201a8c0@dredster>
In-Reply-To: <034301c3dfe4$e336c1e0$0201a8c0@dredster>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 21 Jan 2004 16:48:57.0181 (UTC)
	FILETIME=[762DC0D0:01C3E03E]
Subject: Re: ipfw/nated stateful rules example
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jan 2004 16:48:39 -0000

Micheal Patterson wrote:
> Whereas what I'm doing "Private LAN Keep-State > NAT > World" is not secure
> and would not be accepted by a security professional?  How do you figure
> that either method is more or less secure than the other? If stateful is
> breached in either method, the underlying network is compromised. Sorry,
> it's late and I may be missing something but I just don't see it.

I haven't checked your specific example, but in theory is nothing wrong with 
this at all.  One of my examples works the same way.  Packets you didn't ask 
for don't get through.  How much more security can you want?  As for breaching 
the dynamic rules you would, I think, have to spoof at least the target IP and 
probably more, in which case any firewall could succumb.

Personally, I am filing away the various example for future use, and calling 
this topic closed.  Thanks to everyone who posted solutions. I for one am 
grateful.

--Alex