For those of us interested in learning more but who had no clue what you just said (>me<)...could you kindly translate? :)
-- William Sutton On Fri, 14 Apr 2006, Ryan Leathers wrote: > Brian, > > NAT does not give you stateful inpection. Imagine the example of shell > shoveling. Through some exploit, an outbound connection is made from > your network, through the NAT, to some destination. Said exploit > permits a shell to be tossed at the destination so the remote attacker > now has an interactive connection right through your NAT. (People > sometimes use netcat to do this, thwarting the office security policy) > Obviously, preventing the exploit in the first place is desirable, but > if you are using a stateful firewall there is an excellent chance you'll > be protected from this kind of exploit. > > Ryan > > On Fri, 2006-04-14 at 10:48 -0400, Brian Henning wrote: > > Okay, since there's still a lot I have to learn, I'll ask the question: > > > > What do you gain from having a firewall behind a NAT router with no port > > forwards? Speaking only in terms of inbound protection, of course. > > Obviously a firewall can filter traffic in both directions. Can one not > > depend on a forwardless NAT router to simply drop all incoming > > connection attempts? Are there packets, or methods of connecting, that > > can somehow sneak through such a NAT setup and reach machines on the inside? > > > > In all the networks I administer, firewall + router is the standard > > operating procedure, so I'm just interested in more of the reasons why > > it's a good idea (that is, I don't need any convincing to start doing it). > > > > As always, both lengthy explanations and links to reading material are > > appreciated equally. :-) > > > > Cheers, > > ~B > > > > P.S. A linux box with iptables configured on the "reject everything but > > _____" principle counts as "good," right? :-) > > > > > > > > Cristobal Palmer wrote: > > > So the backstory is that we (Brian + Cerient) ate lunch, and I told > > > Brian about this... *ahem* ...friend of mine who insisted to me that a > > > router is always a firewall. When I say insisted, I mean he followed > > > me after I'd gotten up and left the room. I mean he emailed me the > > > next morning to follow up on his insistence. > > > > > > I... uhh... have some weird friends. Seriously though, get a good > > > firewall everybody. The internets are dangerous. > > > > > > Vice-chair-ily yours, > > > CMP > > > > > -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
