> This strikes me as somewhat of a bonehead question, > but it's something that's bothered me for awhile: > > Let's say I have DSL at home. Let's also say that I > have a single public IP address, but my internal LAN > uses private addressing. The DSL router performs some > sort of NAT or PAT (probably PAT here). All my > internal machines can reach the Internet through the > DSL router, but when they come out, the source address > is changed to the public address. The ports are > managed by the router, so that it knows who's talking > to whom, and can thus properly direct returning > traffic. > > Since someone from the outside accessing the router > itself would be a bad idea, say I'm blocking that. > Let's say it's managed by http, and I have a filter > rule that prohibits anything but my private network > from reaching port 80. > > Now, for all intents and purposes, how vulnerable is > my internal network? > > You can't start a connection with an internal system > because you can't reach its IP address. Even if you > did manage to hijack a session, of how much value > would it really be? > > So it seems to me that if you use NAT/PAT, you don't > need a real firewall unless you're actually permitting > some kind of traffic to connect to something from the > outside. > > Is that right? Not at all, Dee. Try to think at a vulnerability of your DSL router (e.g. a sigle UDP packet tha make your router OS crash letting you to access its configuration). Your DSL router can be used as a "first hop" to reach your internal network. Once you have get an access to the DSL router as Admin, the game is over. Giorgio > > -- Dee > > __________________________________________________ > Do You Yahoo!? > Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. > http://geocities.yahoo.com/ps/info1 >
