Re: re: NAT for a simple network

["R. DuFresne" <dufresne () sysinfo com>]

On Fri, 15 Aug 2003, Robert E. Martin wrote:

> "in general, you should verify packets are
> not allowed to the device from the big bad Internet.  you may also want to
> only allow local access from select IP addresses or subnets."
>
>
>
> So if I deny all from the outside coming in and allow all from the 
> inside to go out, I should have the beginnings of a secure 
> firewall.?!??!! This is not to say that it is a catch all but a start. 
> Perhaps add rule stating only the internal subnet goes out and to deny 
> all others. As I stated before, this is a simple network, no services 
> coming in from the outside, just internet access for the subnet inside 
> and dhcp running on the gateway.
> Thanks to all that replied to this original post. This is a valuable 
> resource to me. Thanks again!!

Becareful here, it's not deny all from the outside, in this case, it's
only allow backin what started from the inside out, thus you need to keep
state.  Those rules posted earlier looked like iptables or ipfw kind of
rules, and those are 'stateful' enough to suit the purpose here.  If you
simply do not allow anything inside from the outside, then your users will
hate you <smile>, as they will connect, and then sit, and sit, and sit
<seeing nothing>...


Thanks,


Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards