On 6/5/06, Chris Buechler <[EMAIL PROTECTED]> wrote:
Ah, ok, yeah you're right on that. But that's useless. Who cares what
the destination port was prior to NAT? That only matters if you open
up, say, port 88 and 888 on the WAN, going to the same internal host on
the same internal port, say port 80 internally. If you're going to let
some IP get to that internal machine's port 80, who cares if it can get
to it via port 88 and 888 from the WAN rather than just one of those?
The best that could possibly provide you is a little obscurity in some
very odd, uncommon scenarios.
Can you give me an example of a legit need for this, that isn't some
poor attempt at security through obscurity?
Sure :) I want port 443 from my work address to redirect to port 22
on my internal host, but for everyone else I want it to go to 443 on
my webserver. I've been meaning to change that behavior for some time
now, but it's never annoyed me enough as I've got 5 statics to play
with and can work around it.
Or I want port 443 to redirect to my honeypot by default except for my
friends which can legitimately get there. That can't be accomplished
by rules alone (ok, so it can with policy routing - bleh - talk about
a hack ;)), but the point remains.
--Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
