Date: Wed, 29 Mar 2000 13:19:45 -0800 From: Scott Hess <scott@avantgo.com> To: "Brian O'Shea" <boshea@ricochet.net> Cc: Joshua Goodall <joshua@roughtrade.net>, Randy Bush <randy@psg.com>, freebsd-net@FreeBSD.ORG Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <20000329131945.A20455@river.avantgo.com> In-Reply-To: <20000329122715.G330@beastie.localdomain> References: <E12aIaA-0001yj-00@roam.psg.com> <Pine.BSF.4.10.10003291547590.72451-100000@catatonia> <20000329122715.G330@beastie.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 29, 2000 at 12:27:15PM -0800, Brian O'Shea wrote: > The next question is, if my assumptions (above) are correct, is it > sufficuent to only block packets from the subnet to which my external > interface is connected? The two general classes of this problem are to allow all while denying specific ports/ips, or to deny all and allow specific ports/ips. In a hostile environment (I think cable modems qualify :-), you probably want to deny all, and only allow through the specific things that are needed. Denying everything has the added advantage of making it very clear what needs to be open. Everything that breaks has to be fixed, and then you know exactly what's going through. The downside is that you might spend three weeks without email because you denied too much :-). Later, scott To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000329131945.A20455>