From owner-freebsd-net  Tue Mar 28 14:47:16 2000
Delivered-To: freebsd-net@freebsd.org
Received: from mail.rdc1.sfba.home.com (ha1.rdc1.sfba.home.com [24.0.0.66])
	by hub.freebsd.org (Postfix) with ESMTP id 6559A37C23B
	for <freebsd-net@FreeBSD.ORG>; Tue, 28 Mar 2000 14:47:09 -0800 (PST)
	(envelope-from boshea@ricochet.net)
Received: from beastie.localdomain ([24.19.158.41])
          by mail.rdc1.sfba.home.com (InterMail v4.01.01.00 201-229-111)
          with ESMTP
          id <20000328224707.KLYN5721.mail.rdc1.sfba.home.com@beastie.localdomain>;
          Tue, 28 Mar 2000 14:47:07 -0800
Received: (from brian@localhost)
	by beastie.localdomain (8.9.3/8.8.7) id OAA22363;
	Tue, 28 Mar 2000 14:56:15 -0800 (PST)
	(envelope-from brian)
Date: Tue, 28 Mar 2000 14:56:15 -0800
From: "Brian O'Shea" <boshea@ricochet.net>
To: Randy Bush <randy@psg.com>
Cc: Kelly Yancey <kbyanc@posi.net>, freebsd-net@FreeBSD.ORG
Subject: Re: Security of NAT "firewall" vs. packet filtering firewall.
Message-ID: <20000328145615.B330@beastie.localdomain>
Mail-Followup-To: Randy Bush <randy@psg.com>,
	Kelly Yancey <kbyanc@posi.net>, freebsd-net@FreeBSD.ORG
References: <20000328113534.W330@beastie.localdomain> <Pine.BSF.4.05.10003281436440.3162-100000@kronos.networkrichmond.com> <E12a411-0001UE-00@roam.psg.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.4i
In-Reply-To: <E12a411-0001UE-00@roam.psg.com>; from Randy Bush on Wed, Mar 29, 2000 at 07:29:11AM +0930
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, Mar 29, 2000 at 07:29:11AM +0930, Randy Bush wrote:
> > NAT will effectively protect the boxes on your network.
> 
> how?  firewalls protect.  nat merely translates addresses.

Correct.  And since there is no way for machines outside of my local
network to know what internal addresses are being translated by my
router, there is no way to address them from outside.  Even if these
addresses are known, there is no route to them from the internet;
they are reserved for use by private networks:
<http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1918.txt>

So my network is logically isolated from the rest of the world, with
the exception that internal machines can establish connections to
external machines.

-brian

-- 
Brian O'Shea
boshea@ricochet.net


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message