[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Re: Iptables



On Sun, 2002-05-05 at 19:03, Andrew Basterfield wrote:
> The ftp client knows what port to expect ftp-data on, but the firewall
> doesn't.

Yes, it does. It _has_ to know - otherwise, how does the incoming
connection get diverted to the correct workstation in a masquerading
setup? Think about it :)

> But close enough. You can block packets with the combinations of fin, urg
> & push flags nmap uses with other firewall rules.

My point was that blocking on various rules isn't nearly as good as not
actually having the packet routing available - given a source
nat/masquerading setup, and a 1-1 private:public nat setup, the
masquerading system is more protective because to route to a private
machine requires an entry in the de-masquerade machinery.

> > Or, worse, providing your own DHCP service :)
> 
> That would be the next step :)

And once you've got DHCP, you've probably also got DNS. And then y00 0wn
the w0rld :)

Cheers,

Alex.

PS Nice one Craig - looks like it's fixed!

Attachment: signature.asc
Description: This is a digitally signed message part