> -----Original Message-----
> From: Reckhard, Tobias [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 23 February 2001 10:02
> To: Firewalls Mailing List (E-mail)
> Subject: RE: To NAT or not to NAT?
>
>
> > >I'd argue that, in theory, it also doesn't help you any
> less. I'm more or
> > >less happy to use just NAT for low threat sites. I usually
> configure
> > >filtering rules as well, but they're only there to keep me
> in the habit.
> >
> > Does NAT block an inbound packet going to 10.1.2.3 (assuming this is
> > a private address). Unless you have an implicit filtering
> rule, it won't.
> > I guess that you have a default filtering rule that blocks inbound
> > packets that are not part of NAT session. In which case, the packet
> > is blocked by the filter part of the implementation, not by
> the NAT part.
> >
> Ah, you mean anti-spoofing protection, in effect. That should
> be put in
> place, yes. Good point, mouss.
Any NAT implementation that is not brain dead should block any packets that
are not addressed to a valid NAT translation (IP addr AND port, unless it's
a static or 'weird' translation).
You should also be able to configure NAT to _not_ translate stuff, based on
ACLs of some kind, and thus explicitly configure your edge device to allow
untranslated traffic to traverse (still in a stateful fashion), but if it
can happen by default then the code monkey responsible for that NAT
implementation gets no banana.
That's why NAT provides pretty reasonable security - as good as a dumb
stateful packet filter, anyway. In my experience, most of the protocols that
tend to get broken by NAT don't bother me anyway.
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
