Firewall Wizards mailing list archives
RE: NAT Pseudo Security
From: David Lang <david.lang () digitalinsight com>
Date: Thu, 6 May 2004 13:03:01 -0700 (PDT)
On Thu, 6 May 2004, Daniel Chemko wrote:
Date: Thu, 6 May 2004 09:51:07 -0700 From: Daniel Chemko <dchemko () smgtec com> To: David Lang <dlang () digitalinsight com> Cc: firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] NAT Pseudo Security David Lang wrote:The ready availability and deployment of Linux on low end router type devices is makeing it so that when many people talk about the capabilities of NAT they include PAT (port address translation, masquerading, etc) becouse they don't even realize that that this is a different beast then the traditional NAT. (for that matter, for several releases of linux the kernel only knoew how to do PAT, NAT is a relativly recent addition)FYI: 199x Linux 2.2 had primitive versions of both PAT & NAT. 2001 Linux 2.4+ can do pretty much anything you throw at it.
right, but add that the 2.0 kernel only had PAT IIRC many of the people who learned on linux got their start and much of their terminology from those early days and don't realize that PAT !== NAT and if they realize that the two terms mean different things use them interchangably.
For 2.4, you can even get more powerful features if you know how to apply them. For my firewall, I use L4 policy routing which seems to be unavailable in any of the 'appliance' firewalls I've looked at. Mind you, my budget is a lot thinner than a dollar bill :-)
the appliances (including those that run linux) useually only provide a config tool for the simpler features
while egress filtering is important for many reasons, the simple step of blocking inbound connections is a great beginning.Isn't the example you describe INGRESS filtering? Egress == Out Ingress == In But yes, egress filtering is important when you can't anally control the environment you're working in. Even if you can control the machines, there is still the risk that something'll slip through.
my point was that while filtering what goes out is important for many reasons, just blocking the inbound stuff is a good start on things. it also has the huge advantage that it doesn't break many things so people are more willing to use it. David Lang -- "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." - Brian W. Kernighan _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: NAT Pseudo Security, (continued)
- RE: NAT Pseudo Security Frank Knobbe (May 05)
- RE: NAT Pseudo Security Paul D. Robertson (May 05)
- RE: NAT Pseudo Security David Lang (May 06)
- Re: NAT Pseudo Security salgak (May 04)
- VPN testing utility lordchariot (May 04)
- Re: NAT Pseudo Security R. DuFresne (May 05)
- RE: NAT Pseudo Security Melson, Paul (May 04)
- RE: NAT Pseudo Security Sloane, David (May 04)
- RE: NAT Pseudo Security Chris Carlson (May 04)
- RE: NAT Pseudo Security Daniel Chemko (May 06)
- RE: NAT Pseudo Security David Lang (May 06)
- RE: NAT Pseudo Security Melson, Paul (May 06)