Firewall Wizards mailing list archives
Re: NAT on router vs. firewall
From: Bill_Royds () pch gc ca
Date: Wed, 15 Jul 1998 10:17:34 -0400
How would you implement rules on firewall based on source address or destination address?. The firewall would only see the NAT versions of IP numbers so would not have any basis other than port to filter. 781.321.6000 >> Yes, the firewall only needs to see NAT'd addresses, but usually you have a one to one mapping for destination addresses inside your network, therefore you can apply rules just as tightly. For traffic coming in from outside (e.g. the internet) usually you're not going to know the source address anyway, so I find it easier to translate these to a pool of NAT'd addresses so that the firewall then knows that anything coming in from 40.10.10.x (say) is actually an Internet address. Neil Pike MVP/MCSE Protech Computing Ltd What do you do for a service that you want to limit to a known set of source IP numbers? Ypu wopuld have to have your router have a number of filter rules on input IP which eventually makes your router an inefficient secondary firewall. I know that dedicated hackers can spoof source IP numbers but a casual cracker has more difficulty so filtering on source IP (which a firewall can do more readily than a router) raises the bar to attacks. One has to fake a source IP, fake the sequence numbers, capture replies ..., rather than just call the router with a session.
Current thread:
- NAT on router vs. firewall Gregory Blake (Jul 12)
- <Possible follow-ups>
- Re: NAT on router vs. firewall Bill_Royds (Jul 14)
- Re: NAT on router vs. firewall Neil Pike (Jul 14)
- Re: NAT on router vs. firewall Neil Pike (Jul 15)
- Re: NAT on router vs. firewall Bill_Royds (Jul 15)
- Re: NAT on router vs. firewall Neil Pike (Jul 17)
- Re: NAT on router vs. firewall Bill_Royds (Jul 19)