Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 22 Sep 1999 12:22:22 -0700
From:      Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
To:        Eivind Eklund <eivind@FreeBSD.ORG>
Cc:        John Heyer <john@arnie.jfive.com>, security@FreeBSD.ORG
Subject:   Re: port-blocking ipfw rules with NAT - necesary? 
Message-ID:  <199909221923.MAA05400@passer.osg.gov.bc.ca>
In-Reply-To: Your message of "Tue, 21 Sep 1999 12:45:28 %2B0200." <19990921124528.I12619@bitbox.follo.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
In message <19990921124528.I12619@bitbox.follo.net>, Eivind Eklund 
writes:
> On Mon, Sep 20, 1999 at 04:13:41PM -0500, John Heyer wrote:
> > 
> > In the firewall section of the handbook, it recommends something like:
> > - Stop IP spoofing and  RFC1918 networks on the outside interface
> > - Deny most (if not all) UDP traffic
> > - Protect TCP ports 1-1024,2000,2049,6000-6063 on the internal network
> > 
> > These rules make sense, but I think they make the assumption the network
> > you're protecting is routable.  If I'm running NAT and my internal network 
> is 
> > non-routable, do I really need to continue blocking ports?  For example,
> > let's say someone was running an open relay mail server or vulnerable FTP
> > server - would it be possible for an intruder to someone access the
> > internal machine assuming I'm not using -redirect_port or
> > -redirect_address with natd?
> 
> It shouldn't be - but it is always prudent to use several layers of
> defense.

How true.  A few years ago I was able to access (ping, traceroute) 
someone's RFC1918 network.  More recently a leak, due to a 
misconfigured router, of some ARPA addresses were blocked by my 
firewall.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Open Systems Group          Internet:  Cy.Schubert@uumail.gov.bc.ca
ITSD                                   Cy.Schubert@gems8.gov.bc.ca
Province of BC
                      "e**(i*pi)+1=0"





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909221923.MAA05400>