Date: Wed, 21 Jan 2004 16:48:36 +0000 From: Alex Zbyslaw <xfb52@dial.pipex.com> To: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw/nated stateful rules example Message-ID: <400EAD64.9000700@dial.pipex.com> In-Reply-To: <034301c3dfe4$e336c1e0$0201a8c0@dredster> References: <MIEPLLIBMLEEABPDBIEGIEGCFFAA.fbsd_user@a1poweruser.com> <034301c3dfe4$e336c1e0$0201a8c0@dredster>
next in thread | previous in thread | raw e-mail | index | archive | help
Micheal Patterson wrote: > Whereas what I'm doing "Private LAN Keep-State > NAT > World" is not secure > and would not be accepted by a security professional? How do you figure > that either method is more or less secure than the other? If stateful is > breached in either method, the underlying network is compromised. Sorry, > it's late and I may be missing something but I just don't see it. I haven't checked your specific example, but in theory is nothing wrong with this at all. One of my examples works the same way. Packets you didn't ask for don't get through. How much more security can you want? As for breaching the dynamic rules you would, I think, have to spoof at least the target IP and probably more, in which case any firewall could succumb. Personally, I am filing away the various example for future use, and calling this topic closed. Thanks to everyone who posted solutions. I for one am grateful. --Alex
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?400EAD64.9000700>