Firewall Wizards mailing list archives
Re: NAT on router vs. firewall
From: Neil Pike <NeilPike () compuserve com>
Date: Wed, 15 Jul 1998 14:10:40 -0400
<< From: Bill_Royds () pch gc ca What do you do for a service that you want to limit to a known set of source IP numbers? Ypu wopuld have to have your router have a number of filter rules on input IP which eventually makes your router an inefficient secondary firewall. I know that dedicated hackers can spoof source IP numbers but a casual cracker has more difficulty so filtering on source IP (which a firewall can do more readily than a router) raises the bar to attacks. One has to fake a source IP, fake the sequence numbers, capture replies ..., rather than just call the router with a session. >> Bill, If I want to limit it to certain source-ip addresses then I translate these into a separate pool of internal addresses in a one-for-one manner. (Which is something I do for one system where only one known internet address is currently to be allowed through). Neil Pike MVP/MCSE Protech Computing Ltd
Current thread:
- NAT on router vs. firewall Gregory Blake (Jul 12)
- <Possible follow-ups>
- Re: NAT on router vs. firewall Bill_Royds (Jul 14)
- Re: NAT on router vs. firewall Neil Pike (Jul 14)
- Re: NAT on router vs. firewall Neil Pike (Jul 15)
- Re: NAT on router vs. firewall Bill_Royds (Jul 15)
- Re: NAT on router vs. firewall Neil Pike (Jul 17)
- Re: NAT on router vs. firewall Bill_Royds (Jul 19)