>From: Greg Hudson <[EMAIL PROTECTED]>
>
>> But anybody clear understand that if your internal hosts do not have
>> a public address then all attacks may be only static - wait until
>> internal host open TCP to somewhere.
>
>This is a naive understanding. Source-routing would let me get
>packets through to an internal address unless your NAT also acts as a
>firewall.
>
Let's try. Today most of hosts have "IP-forwarding" switch off.
Because security reason.
>(Granted, I think it turns out that pretty much all NATs do this kind
>of firewalling in all cases. But there's no reason why a firewall
>allowing only outgoing connections should be any more error-prone than
>a NAT gateway.)
Greg, how you determine outgoing RTP connection like VoIP, for exam ?
UDP often has not clear "open" packet and difficult to control in classic
firewall. Fortunately VoIP may have H.323 or SIP negotiation first
but do you sure about another protocols ?
- Leonid Yegoshin, LY22
