Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: NAT Pseudo Security

From: David Lang <david.lang () digitalinsight com>
Date: Thu, 6 May 2004 13:03:01 -0700 (PDT)
On Thu, 6 May 2004, Daniel Chemko wrote:


Date: Thu, 6 May 2004 09:51:07 -0700
From: Daniel Chemko <dchemko () smgtec com>
To: David Lang <dlang () digitalinsight com>
Cc: firewall-wizards () honor icsalabs com
Subject: RE: [fw-wiz] NAT Pseudo Security

David Lang wrote:

The ready availability and deployment of Linux on low end router type
devices is makeing it so that when many people talk about the
capabilities of NAT they include PAT (port address translation,
masquerading, etc) becouse they don't even realize that that this is
a different beast then the traditional NAT. (for that matter, for
several releases of linux the kernel only knoew how to do PAT, NAT is
a relativly recent addition)

FYI:
199x Linux 2.2 had primitive versions of both PAT & NAT.
2001 Linux 2.4+ can do pretty much anything you throw at it.


right, but add that the 2.0 kernel only had PAT IIRC

many of the people who learned on linux got their start and much of their
terminology from those early days and don't realize that PAT !== NAT and
if they realize that the two terms mean different things use them
interchangably.


For 2.4, you can even get more powerful features if you know how to
apply them.
For my firewall, I use L4 policy routing which seems to be unavailable
in any of the 'appliance' firewalls I've looked at. Mind you, my budget
is a lot thinner than a dollar bill :-)


the appliances (including those that run linux) useually only provide a
config tool for the simpler features


while egress filtering is important for many reasons, the simple step
of blocking inbound connections is a great beginning.


Isn't the example you describe INGRESS filtering? Egress == Out Ingress
== In
But yes, egress filtering is important when you can't anally control the
environment you're working in. Even if you can control the machines,
there is still the risk that something'll slip through.


my point was that while filtering what goes out is important for many
reasons, just blocking the inbound stuff is a good start on things. it
also has the huge advantage that it doesn't break many things so people
are more willing to use it.

David Lang


-- 
"Debugging is twice as hard as writing the code in the first place.
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: