[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Re: Iptables



On 06 May 2002 09:04:11 +0100
Alex Hudson <home [at] alexhudson.com> wrote:

> > > My point was that blocking on various rules isn't nearly as good as
> > > not actually having the packet routing available - given a source
> > > nat/masquerading setup, and a 1-1 private:public nat setup, the
> > > masquerading system is more protective because to route to a private
> > > machine requires an entry in the de-masquerade machinery.
> > 
> > You can have both, they're not mutually exclusive.
> 
> You can have both a source nat and 1-1 nat setup? You might want to
> re-read that ;)

Sorry, I assumed you meant blocking on various [firewall?] rules vs. not
having packet routing available [source NAT] [on the topic of preventing
portscanning].

My point being just because the host is masqueraded you still have the
public IP of the masq gateway to protect. You still need the firewall
rules to prevent portscanning of the gateway, and with an exploit on the
gateway [like a vulnrable service found with a portscan] the hacker can
tunnel wherever he wants inside the private network.

thanks

--Andrew

-- 
sparc sun4c stuff:
	http://www.lostgeneration.freeserve.co.uk/sparc
PGP key for list [at] lostgeneration.freeserve.co.uk:
	http://www.lostgeneration.freeserve.co.uk/list.freeserve.co.uk.asc

Attachment: pgp00022.pgp
Description: PGP signature