Date: Sun, 3 Oct 1999 12:51:34 -0700 (PDT) From: "f.johan.beisser" <jan@caustic.org> To: Dmitriy Bokiy <ratebor@cityline.ru> Cc: FreeBSD Security ML <freebsd-security@FreeBSD.ORG> Subject: Re: natd -deny_incoming Message-ID: <Pine.BSF.4.05.9910031234160.41067-100000@pogo.caustic.org> In-Reply-To: <18882.991003@cityline.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 3 Oct 1999, Dmitriy Bokiy wrote: > Just to be completely sure. Is it correct that if I don`t run natd > with "-deny_incoming" option turned on it`s going to accept external > connections to RFC addresses which at the moment have an entry in NATd`s > internal translation table? no, it shouldn't. because of how TCP/IP works, even if the request is on a port that is open (natd will drop it anyway) the daemon holding the port open will renegotiate it anyway. natd can do port forwarding though, and map certain ports over to other machines in the internal network. natd also dosen't care about the RFC networks. it plays dumb, and just listens to its designated interface. > If that`s so is there some ground under it or is it just a "feature"? > In other words: why do we need this option at all if "deny incoming to > RFCs" could be default behavior? well, the problem with dening the unroutable networks (RFC 1918, 192.168.0.0, 10.0.0.0, 172.16.0.0) from natd is that some folks (in my lab, included) will want to have an unrouteable network inside of an unroutable. > Or do I miss anything? no, i don't think so. if you're really worried about spoofing coming through, i'd suggest using IPFW or IPFILTER to stop the spoofing. it's just two lines in the IPFW to stop it. -- jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9910031234160.41067-100000>