On 11/08/2010 14:29, Randal L. Schwartz wrote:
>>>>>> "Matthew" == Matthew Seaman <m.sea...@infracaninophile.co.uk> writes:
> 
> Matthew> Yes, you can achieve the same effect using firewall rules, but
> Matthew> as I have occasionally said before, firewalls should be
> Matthew> optional -- ideally your system should be secure even if you
> Matthew> turn the firewall off.
> 
> Well, I already have pf fired up to deal with web and ssh rate limiting,
> so firing up a natd seems a bit redundant.
> 

I meant that you could block access to private servers which need to
listen on public network ports by just using firewall rules, as opposed
to making the whole jail hang off a private interface and just
forwarding selected traffic to it.

For the second case, you would need pf to do the NAT'ing (or ipfw+natd
if that's your preference).  With this trick of binding the sensitive
daemons to an address on the loopback, you are still secure even if pf
gets turned off.  Of course, "secure" is not necessarily the same as
"working."

        Cheers,

        Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matt...@infracaninophile.co.uk               Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to