> -----Original Message-----
> From: Henry Yen [mailto:[EMAIL PROTECTED]]
[...]
> > Sadly, I don't know of any routers that filter inbound
> packets for the
> > private IP range that they are protecting. If the attacker
> can somehow get a
> > packet for your private network routed as far as your NAT
> router it will
> > probably go straight through, unless there are also filters on the
> > router.[1]
>
> could you elaborate on this statement? " . . . don't know of
> any routers
> that filter ... ... unless there are also filters on the router"
> do you mean "routers that automatically/bydefault filter ..."?
Yes. I apologise for temporarily forgetting how to write coherent English.
8)
> > [1] We had a thread about this a couple of months ago, in
> which I said "Any
> > NAT implementation that is not brain dead should block any
> packets that are
> > not addressed to a valid NAT translation". I still believe
> this, but I had
> > some Cisco gear on the bench recently and noticed that it
> met my "brain
> > dead" criteria. D'oh.
>
> in context with my question above, one can add the desired
> filters, no?
Absolutely. Can and should.
> cisco allows both inbound and outbound filters on every real interface
> and subinterface. also, with the possibility of more than one subnet
> hanging off an interface, there is a plausible reason for
> allowing packets
> to flow out of an interface with a NAT subnet that are bound for other
> non-NAT (or other-NAT) destinations on that same interface.
>
> also, what router manufacturer offers such blocking? that would be
> most illuminating for our purchasing decisions...
None that I know of. I figure that I'm Just Making Stuff Up, otherwise
someone would have implemented automatic filtering. What I'd prefer is for
the router to look at the outbound NAT rules and then evaluate incoming
packets in a reverse context. In other words, when a packet comes in, the
router says "Would this be NAT'ed if there was a reply?" and drops the
packet if the answer is yes. The point is that there is no useful reason for
this packet to hit the inside (no "session" is possible because of
mismatching IP addresses) and it could lead to a world of pain. Especially
when combined with the ping "feature" we were discussing a couple of days
ago.
But, as I said, I guess I'm crazy.
> --
> Henry Yen <[EMAIL PROTECTED]>
> netcom shell refugee '94. [EMAIL PROTECTED],[EMAIL PROTECTED]
> Hicksville, New York
Cheers,
--
Ben Nagy
Network Security Specialist
Marconi Services Australia Pty Ltd
Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
