RE: NAT Pseudo Security

["Daniel Chemko" <dchemko () smgtec com>]

David Lang wrote:
> The ready availability and deployment of Linux on low end router type
> devices is makeing it so that when many people talk about the
> capabilities of NAT they include PAT (port address translation,
> masquerading, etc) becouse they don't even realize that that this is
> a different beast then the traditional NAT. (for that matter, for
> several releases of linux the kernel only knoew how to do PAT, NAT is
> a relativly recent addition)      
FYI:
199x Linux 2.2 had primitive versions of both PAT & NAT.
2001 Linux 2.4+ can do pretty much anything you throw at it.

For 2.4, you can even get more powerful features if you know how to
apply them.
For my firewall, I use L4 policy routing which seems to be unavailable
in any of the 'appliance' firewalls I've looked at. Mind you, my budget
is a lot thinner than a dollar bill :-)

> while egress filtering is important for many reasons, the simple step
> of blocking inbound connections is a great beginning. 

Isn't the example you describe INGRESS filtering? Egress == Out Ingress
== In
But yes, egress filtering is important when you can't anally control the
environment you're working in. Even if you can control the machines,
there is still the risk that something'll slip through.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards