Firewalls and NAT

Brian Somers brian at freebsd-services.com
Fri Mar 22 13:02:29 GMT 2002


If you have either deny_incoming set to yes or target_address set to 
0.0.0.0, things should be secure.

Without either of these, it's possible for an attacker to get packets 
into your internal address by spoofing the destination address.  Mind 
you, I don't believe any replies would get back to that attacker....

The NAT forwards shouldn't be ``hijacka''able as the alias table 
maintained by libalias will just permit traffic between the specific 
ports and addresses for that protocol (tcp/udp etc).  Well, they're 
no more hijackable than any normal Internet connection is....

> > Cable Modem ---> FreeBSD (doing NAT) ---> Various Windows/FreeBSD boxes
> >
> > At present, the FreeBSD box has almost all of its services turned off,
> > and I have been able to confirm using nmap that the only port open
> > externally is the SSH one.
> >
> > It seems to me that my connection is pretty secure as it is. The only
> > externally accessible IP belongs to the FreeBSD box, and as far as I can
> > see the only way for melicious traffic from the net to get onto the
> > internal network would be to 'hijack' one of the forwards that natd has
> > set up for incoming traffic. Is there any serious risk of this?
> >
> > Am I being naive about the security offered by NAT? I know that NAT
> > isn't intended as a security measure but what would I have to gain by
> > implementing a proper firewall? Most high ports will have to be left
> > open anyway as they are needed for traffic returning through NAT. True?
> >
> > Any help or opinions would be gratefully recieved.
> 
> I've got a similar setup, and, again, the only services the freebsd box are
> running are ones that I want available from the net (ssh, ftpd, apache) - I
> was running a firewall blocking everything else, but it was messing certain
> things off so I've changed the firewall to allow all by default, apart from
> stuff to and from port 139 - windows file sharing - in case I ever run samba
> on the freebsd box (not that I do, but, I don't want a load of people
> logging in to it if I do, as I have had in the past).
> 
> However, I don't know how safe this is, so, I'm equally interested to know
> if there's any reasons why this is not secure.
> 
> Mark

-- 
Brian <brian at freebsd-services.com>                <brian at Awfulhak.org>
      http://www.freebsd-services.com/        <brian@[uk.]FreeBSD.org>
Don't _EVER_ lose your sense of humour !      <brian@[uk.]OpenBSD.org>






More information about the Ukfreebsd mailing list