[64656] in North American Network Operators' Group
Re: [arin-announce] IPv4 Address Space (fwd)
daemon@ATHENA.MIT.EDU (E.B. Dreger)
Thu Oct 30 05:34:49 2003
Date: Thu, 30 Oct 2003 10:34:24 +0000 (GMT)
From: "E.B. Dreger" <eddy+public+spam@noc.everquick.net>
To: nanog@merit.edu
In-Reply-To: <3FA030BF.8020800@brightok.net>
Errors-To: owner-nanog-outgoing@merit.edu
JB> Date: Wed, 29 Oct 2003 15:27:27 -0600
JB> From: Jack Bates
JB> I think the point that was being made was that NAT allows the
JB> filtering of the box to be more idiot proof. Firewall rules
JB> tend to be complex, which is why mistakes *do* get made and
JB> systems still get compromised. NAT interfaces and setups
JB> tend to be more simplistic, and the IP addresses of the
JB> device won't route publicly through the firewall or any
JB> unknown alternate routes.
NAT "security" is a byproduct of NAT's stateful filtering. One
can accomplish the same effect with
check-state
allow ip any any recv internal0 keep-state
deny ip any any
Such a default fw config would be equally idiot-proof with no IP
obfuscation.
Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
_________________________________________________________________
DO NOT send mail to the following addresses :
blacklist@brics.com -or- alfra@intc.net -or- curbjmp@intc.net
Sending mail to spambait addresses is a great way to get blocked.
