Firewalls and NAT

Mark Hughes mh_lists at digitalspy.co.uk
Fri Mar 22 06:12:12 GMT 2002


> Cable Modem ---> FreeBSD (doing NAT) ---> Various Windows/FreeBSD boxes
>
> At present, the FreeBSD box has almost all of its services turned off,
> and I have been able to confirm using nmap that the only port open
> externally is the SSH one.
>
> It seems to me that my connection is pretty secure as it is. The only
> externally accessible IP belongs to the FreeBSD box, and as far as I can
> see the only way for melicious traffic from the net to get onto the
> internal network would be to 'hijack' one of the forwards that natd has
> set up for incoming traffic. Is there any serious risk of this?
>
> Am I being naive about the security offered by NAT? I know that NAT
> isn't intended as a security measure but what would I have to gain by
> implementing a proper firewall? Most high ports will have to be left
> open anyway as they are needed for traffic returning through NAT. True?
>
> Any help or opinions would be gratefully recieved.

I've got a similar setup, and, again, the only services the freebsd box are
running are ones that I want available from the net (ssh, ftpd, apache) - I
was running a firewall blocking everything else, but it was messing certain
things off so I've changed the firewall to allow all by default, apart from
stuff to and from port 139 - windows file sharing - in case I ever run samba
on the freebsd box (not that I do, but, I don't want a load of people
logging in to it if I do, as I have had in the past).

However, I don't know how safe this is, so, I'm equally interested to know
if there's any reasons why this is not secure.

Mark





More information about the Ukfreebsd mailing list