From owner-freebsd-net Wed Mar 29 5:32:36 2000 Delivered-To: freebsd-net@freebsd.org Received: from roam.psg.com (dhcp-193-29.ietf.connect.com.au [169.208.193.29]) by hub.freebsd.org (Postfix) with ESMTP id 5B4EE37B66F for ; Wed, 29 Mar 2000 05:32:33 -0800 (PST) (envelope-from randy@psg.com) Received: from randy by roam.psg.com with local (Exim 3.12 #1) id 12aIaA-0001yj-00; Wed, 29 Mar 2000 23:02:26 +0930 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: "Brian O'Shea" Cc: freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. References: <20000328113534.W330@beastie.localdomain> <20000328145615.B330@beastie.localdomain> Message-Id: Date: Wed, 29 Mar 2000 23:02:26 +0930 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>> NAT will effectively protect the boxes on your network. >> how? firewalls protect. nat merely translates addresses. > Correct. And since there is no way for machines outside of my local > network to know what internal addresses are being translated by my > router, there is no way to address them from outside. nats kindly create and generate the mappings for he attacker. > Even if these addresses are known, there is no route to them from the > internet; there are routes to the addresses to which nat translates them. > they are reserved for use by private networks: > wow! what an exciting rfc! i am sitting next to three rather reknown security folk at the iesg/iab breakfast here at the adelaide ieft. quote one whose book you probably read "NATs per se provide little security. They can, however, be used as one component of a firewall, which does provide some security." randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message