[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Re: Iptables

To: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Subject: Re: [Sheflug] Re: Iptables
From: Andrew Basterfield <xxxxx [at] xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Sun, 5 May 2002 22:30:47 +0100
Envelope-to: <shef-lug [at] list.sheflug.org.uk>
List-help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-id: Sheflug <shef-lug.list.sheflug.org.uk>
List-post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Reply-to: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx

On 05 May 2002 19:40:19 +0100
Alex Hudson <home [at] alexhudson.com> wrote:

> On Sun, 2002-05-05 at 19:03, Andrew Basterfield wrote:
> > The ftp client knows what port to expect ftp-data on, but the firewall
> > doesn't.
> 
> Yes, it does. It _has_ to know - otherwise, how does the incoming
> connection get diverted to the correct workstation in a masquerading
> setup? Think about it :)

Linux 2.4 will masquerade active ftp? How does it work then?

I never had active ftp masquerading with linux 2.2, now I use OpenBSD
which has a transparent ftp proxy should you want to do active ftp with
NAT. Active ftp is not necessary when the clients can use passive ftp.
None of the free BSDs are set up to use active ftp by default.

> > But close enough. You can block packets with the combinations of fin,
> > urg& push flags nmap uses with other firewall rules.
> 
> My point was that blocking on various rules isn't nearly as good as not
> actually having the packet routing available - given a source
> nat/masquerading setup, and a 1-1 private:public nat setup, the
> masquerading system is more protective because to route to a private
> machine requires an entry in the de-masquerade machinery.

You can have both, they're not mutually exclusive. So they can't scan your
web server because it is NATed into private address space, but the gateway
still has a public IP and that can be scanned and that's what you have to
protect. With r00t on the gateway you can nat/ssh tunnel #anything# from
the inside to the outside. NAT was designed to help reduce the pressure on
the depleted free IP address space, any security benefits are secondary,
and with the eventual roll-out of ipv6 it will be obsolete. IP-masq also
breaks lots of (poor) services (like active ftp), which can be fixed but
only with one-off service-by-service hacks.

I do appreciate the uses of NAT, I use it to masq my network behind a
single inet4 IP. I do also have a 48 bit inet6 network to play with
(281,474,976,710,656 IP addresses all resolvable outside my network) which
has to be protected without hiding behind NAT.

--Andrew

-- 
sparc sun4c stuff:
	http://www.lostgeneration.freeserve.co.uk/sparc
PGP key for list [at] lostgeneration.freeserve.co.uk:
	http://www.lostgeneration.freeserve.co.uk/list.freeserve.co.uk.asc

Attachment: pgp00020.pgp
Description: PGP signature

Follow-Ups:
- Re: [Sheflug] Re: Iptables
  - From: Alex Hudson

References:
- RE: [Sheflug] Re: Iptables
  - From: xxxxx
- RE: [Sheflug] Re: Iptables
  - From: xxxxx
- Re: [Sheflug] Re: Iptables
  - From: xxxxx
- Re: [Sheflug] Re: Iptables
  - From: xxxxx
- Re: [Sheflug] Re: Iptables
  - From: xxxxx
- Re: [Sheflug] Re: Iptables
  - From: xxxxx
- Re: [Sheflug] Re: Iptables
  - From: Andrew Basterfield
- Re: [Sheflug] Re: Iptables
  - From: Alex Hudson

Prev by Date: Re: [Sheflug] Re: Firewall
Next by Date: Re: [Sheflug] Re: Network
Previous by thread: Re: [Sheflug] Re: Iptables
Next by thread: Re: [Sheflug] Re: Iptables
Index(es):
- Date
- Thread