From owner-freebsd-net Fri Mar 31 6: 7:20 2000 Delivered-To: freebsd-net@freebsd.org Received: from storm.FreeBSD.org.uk (storm.freebsd.org.uk [194.242.139.170]) by hub.freebsd.org (Postfix) with ESMTP id ADF2B37B7C5 for ; Fri, 31 Mar 2000 06:06:51 -0800 (PST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (hak.nat.Awfulhak.org [172.31.0.12]) by storm.FreeBSD.org.uk (8.9.3/8.9.3) with ESMTP id PAA13739; Fri, 31 Mar 2000 15:06:26 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id PAA02684; Fri, 31 Mar 2000 15:06:23 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200003311406.PAA02684@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Brian Somers Cc: "Brian O'Shea" , Joshua Goodall , Randy Bush , freebsd-net@FreeBSD.ORG, brian@hak.lan.Awfulhak.org, brian@hak.lan.Awfulhak.org Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. In-Reply-To: Message from Brian Somers of "Fri, 31 Mar 2000 12:14:36 BST." <200003311114.MAA01613@hak.lan.Awfulhak.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 31 Mar 2000 15:06:22 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > However, I think Randy is essentially warning that each private address > > > can be statically mapped to a public one, demonstrating that NAT is not > > > necessarily a security feature, it's a convenience. > > > > Ok, so that basically answers the question in my last post. If I > > understand correctly, someone on the same subnet as my router's external > > interface could set a static route to my internal network through my > > router's external interface. In other words, I am vulnerable to attack > > from anyone who subscribs to the same cable modem service that I do, and > > happens to be on the same subnet (I believe subnets are regional, so > > that means roughly anyone in my neighborhood). Not to mention anyone > > who manages to compromise one of my neighbor's systems and subsequently > > attack my system. > > Hmm, there's a PacketAliasSetTarget() function in libalias that will > direct all incoming connections to a given IP number irrespective of > their destination address. Unfortunately, it's not used by either > ppp or natd. > > I think I'll add a ``nat target'' command to ppp. In fact, there's a bug in libalias. Packets destined to anything that's not redirected (with PacketAliasRedirectAddr() or implicitly) should be redirected to the alias address according to the documentation. This is now reality (as of about a minute ago). -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message