From owner-freebsd-questions@FreeBSD.ORG  Sun Feb 27 23:58:17 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A018E16A4CE
	for <freebsd-questions@freebsd.org>;
	Sun, 27 Feb 2005 23:58:17 +0000 (GMT)
Received: from pi.codefab.com (pi.codefab.com [199.103.21.227])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 05D3A43D1F
	for <freebsd-questions@freebsd.org>;
	Sun, 27 Feb 2005 23:58:17 +0000 (GMT)	(envelope-from cswiger@mac.com)
Received: from localhost (localhost [127.0.0.1])
	by pi.codefab.com (Postfix) with ESMTP id 4FD275D39;
	Sun, 27 Feb 2005 18:58:16 -0500 (EST)
Received: from pi.codefab.com ([127.0.0.1])
 by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 77292-08; Sun, 27 Feb 2005 18:58:14 -0500 (EST)
Received: from [192.168.1.3] (pool-68-161-75-250.ny325.east.verizon.net
	[68.161.75.250])	by pi.codefab.com (Postfix) with ESMTP id 4743D5D25;
	Sun, 27 Feb 2005 18:58:13 -0500 (EST)
Message-ID: <42225E75.6040102@mac.com>
Date: Sun, 27 Feb 2005 18:57:41 -0500
From: Chuck Swiger <cswiger@mac.com>
Organization: The Courts of Chaos
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.7.5) Gecko/20041217
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Stevan Tiefert <stevan@rot-1.de>
References: <20050227223559.I11345@mail.rot-1.de>
In-Reply-To: <20050227223559.I11345@mail.rot-1.de>
X-Enigmail-Version: 0.90.0.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: amavisd-new at codefab.com
cc: freebsd-questions@freebsd.org
Subject: Re: security without NAT?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Feb 2005 23:58:17 -0000

Stevan Tiefert wrote:
[ ... ]
> I understand that if these workstations wants to request answers from
> outside the private network are never getting answers, but is it possible
> to see and attack theses workstations from outside?

If you avoid configuring a default route on the local machines, and require 
them to access any remote services via a subnet-local proxy on this gateway, 
it will help security significantly.

However, you need to take a great deal of care with the gateway machine even 
if you disable NAT on it, for reasons someone else just mentioned.  Also, and 
in particular, you need to block the loose and strict source-routing IP option 
via a firewall, or else someone who knows what they are doing can still get 
traffic into your local subnet.

-- 
-Chuck