Date: Tue, 21 Sep 1999 12:45:28 +0200 From: Eivind Eklund <eivind@FreeBSD.ORG> To: John Heyer <john@arnie.jfive.com> Cc: security@FreeBSD.ORG Subject: Re: port-blocking ipfw rules with NAT - necesary? Message-ID: <19990921124528.I12619@bitbox.follo.net> In-Reply-To: <Pine.BSF.3.96.990920154858.3314A-100000@snake.supranet.net>; from John Heyer on Mon, Sep 20, 1999 at 04:13:41PM -0500 References: <19990920162742.A12619@bitbox.follo.net> <Pine.BSF.3.96.990920154858.3314A-100000@snake.supranet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Sep 20, 1999 at 04:13:41PM -0500, John Heyer wrote: > > In the firewall section of the handbook, it recommends something like: > - Stop IP spoofing and RFC1918 networks on the outside interface > - Deny most (if not all) UDP traffic > - Protect TCP ports 1-1024,2000,2049,6000-6063 on the internal network > > These rules make sense, but I think they make the assumption the network > you're protecting is routable. If I'm running NAT and my internal network is > non-routable, do I really need to continue blocking ports? For example, > let's say someone was running an open relay mail server or vulnerable FTP > server - would it be possible for an intruder to someone access the > internal machine assuming I'm not using -redirect_port or > -redirect_address with natd? It shouldn't be - but it is always prudent to use several layers of defense. Eivind. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990921124528.I12619>