Firewalls and NAT

Brian Somers brian at
Fri Mar 22 13:02:29 GMT 2002

If you have either deny_incoming set to yes or target_address set to, things should be secure.

Without either of these, it's possible for an attacker to get packets 
into your internal address by spoofing the destination address.  Mind 
you, I don't believe any replies would get back to that attacker....

The NAT forwards shouldn't be ``hijacka''able as the alias table 
maintained by libalias will just permit traffic between the specific 
ports and addresses for that protocol (tcp/udp etc).  Well, they're 
no more hijackable than any normal Internet connection is....

> > Cable Modem ---> FreeBSD (doing NAT) ---> Various Windows/FreeBSD boxes
> >
> > At present, the FreeBSD box has almost all of its services turned off,
> > and I have been able to confirm using nmap that the only port open
> > externally is the SSH one.
> >
> > It seems to me that my connection is pretty secure as it is. The only
> > externally accessible IP belongs to the FreeBSD box, and as far as I can
> > see the only way for melicious traffic from the net to get onto the
> > internal network would be to 'hijack' one of the forwards that natd has
> > set up for incoming traffic. Is there any serious risk of this?
> >
> > Am I being naive about the security offered by NAT? I know that NAT
> > isn't intended as a security measure but what would I have to gain by
> > implementing a proper firewall? Most high ports will have to be left
> > open anyway as they are needed for traffic returning through NAT. True?
> >
> > Any help or opinions would be gratefully recieved.
> I've got a similar setup, and, again, the only services the freebsd box are
> running are ones that I want available from the net (ssh, ftpd, apache) - I
> was running a firewall blocking everything else, but it was messing certain
> things off so I've changed the firewall to allow all by default, apart from
> stuff to and from port 139 - windows file sharing - in case I ever run samba
> on the freebsd box (not that I do, but, I don't want a load of people
> logging in to it if I do, as I have had in the past).
> However, I don't know how safe this is, so, I'm equally interested to know
> if there's any reasons why this is not secure.
> Mark

Brian <brian at>                <brian at>        <brian@[uk.]>
Don't _EVER_ lose your sense of humour !      <brian@[uk.]>

More information about the Ukfreebsd mailing list