Date: Fri, 31 Mar 2000 15:06:22 +0100 From: Brian Somers <brian@Awfulhak.org> To: Brian Somers <brian@Awfulhak.org> Cc: "Brian O'Shea" <boshea@ricochet.net>, Joshua Goodall <joshua@roughtrade.net>, Randy Bush <randy@psg.com>, freebsd-net@FreeBSD.ORG, brian@hak.lan.Awfulhak.org, brian@hak.lan.Awfulhak.org Subject: Re: Security of NAT "firewall" vs. packet filtering firewall. Message-ID: <200003311406.PAA02684@hak.lan.Awfulhak.org> In-Reply-To: Message from Brian Somers <brian@Awfulhak.org> of "Fri, 31 Mar 2000 12:14:36 BST." <200003311114.MAA01613@hak.lan.Awfulhak.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > However, I think Randy is essentially warning that each private address
> > > can be statically mapped to a public one, demonstrating that NAT is not
> > > necessarily a security feature, it's a convenience.
> >
> > Ok, so that basically answers the question in my last post. If I
> > understand correctly, someone on the same subnet as my router's external
> > interface could set a static route to my internal network through my
> > router's external interface. In other words, I am vulnerable to attack
> > from anyone who subscribs to the same cable modem service that I do, and
> > happens to be on the same subnet (I believe subnets are regional, so
> > that means roughly anyone in my neighborhood). Not to mention anyone
> > who manages to compromise one of my neighbor's systems and subsequently
> > attack my system.
>
> Hmm, there's a PacketAliasSetTarget() function in libalias that will
> direct all incoming connections to a given IP number irrespective of
> their destination address. Unfortunately, it's not used by either
> ppp or natd.
>
> I think I'll add a ``nat target'' command to ppp.
In fact, there's a bug in libalias. Packets destined to anything
that's not redirected (with PacketAliasRedirectAddr() or implicitly)
should be redirected to the alias address according to the
documentation.
This is now reality (as of about a minute ago).
--
Brian <brian@Awfulhak.org> <brian@[uk.]FreeBSD.org>
<http://www.Awfulhak.org>; <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200003311406.PAA02684>