On Sun, 2002-05-05 at 19:03, Andrew Basterfield wrote: > The ftp client knows what port to expect ftp-data on, but the firewall > doesn't. Yes, it does. It _has_ to know - otherwise, how does the incoming connection get diverted to the correct workstation in a masquerading setup? Think about it :) > But close enough. You can block packets with the combinations of fin, urg > & push flags nmap uses with other firewall rules. My point was that blocking on various rules isn't nearly as good as not actually having the packet routing available - given a source nat/masquerading setup, and a 1-1 private:public nat setup, the masquerading system is more protective because to route to a private machine requires an entry in the de-masquerade machinery. > > Or, worse, providing your own DHCP service :) > > That would be the next step :) And once you've got DHCP, you've probably also got DNS. And then y00 0wn the w0rld :) Cheers, Alex. PS Nice one Craig - looks like it's fixed!
Attachment:
signature.asc
Description: This is a digitally signed message part