On Tue, Nov 07, 2000 at 05:04:39AM -1000, Brian Russo wrote: > hm if you're using private addressing and doing NAT/PAT ? > well obviously you can't do that transparently because .. it has no network > address, the fw that is.
Sure. > i don't see how it makes your internal sites more open to attack if > you're using global's, as you can still apply pretty much the same fw ruleset. Let's say I run some server behind my firewall and a proxy on my firewall. In this situation an attacker either has to take over the firewall, or he/she has to find a way to attack my server through my proxy. If I just route packages to my server (and this includes port forwarding which is often used in NAT environments) the attacker can attack my server directly. A pretty good exapmle is ftp. Client suffices, no need to run a server. There are exploits known for active and passive ftp so that your average script kiddie can open a hole in your firewall in seconds even in a masquerading environment. So your setup seems to be even easier to break into. Michael -- Michael Meskes [email protected] Go SF 49ers! Go Rhein Fire! Use Debian GNU/Linux! Use PostgreSQL!
