On 06 May 2002 09:04:11 +0100 Alex Hudson <home [at] alexhudson.com> wrote: > > > My point was that blocking on various rules isn't nearly as good as > > > not actually having the packet routing available - given a source > > > nat/masquerading setup, and a 1-1 private:public nat setup, the > > > masquerading system is more protective because to route to a private > > > machine requires an entry in the de-masquerade machinery. > > > > You can have both, they're not mutually exclusive. > > You can have both a source nat and 1-1 nat setup? You might want to > re-read that ;) Sorry, I assumed you meant blocking on various [firewall?] rules vs. not having packet routing available [source NAT] [on the topic of preventing portscanning]. My point being just because the host is masqueraded you still have the public IP of the masq gateway to protect. You still need the firewall rules to prevent portscanning of the gateway, and with an exploit on the gateway [like a vulnrable service found with a portscan] the hacker can tunnel wherever he wants inside the private network. thanks --Andrew -- sparc sun4c stuff: http://www.lostgeneration.freeserve.co.uk/sparc PGP key for list [at] lostgeneration.freeserve.co.uk: http://www.lostgeneration.freeserve.co.uk/list.freeserve.co.uk.asc
Attachment:
pgp00022.pgp
Description: PGP signature