> I think masquerading is a useful additional firewall layer. It makes it
> simply impossible to talk to hosts hidden behind the firewall unless _they_
> make the first move. Unlike traditional firewalling ("Hmm, do I really need
> to close off this port? I guess not.") it's quite difficult to screw up.
That isnt completely true. You can often provoke such a host - think about
http redirects if they arent using a proxy.
A Linux box using masquerade without additional code for filters fails the
British Standards Institute firewall requirements. Why - because masquerade
doesnt screen header attacks - 0 length option and similar. (Rumour has it
netfilter will ;))
If you want "impossible" you need at minimum to be running a pure proxy setup
- squid and the like. Masquerade is cute, its good basic security but it is
not 'impossible' or military spec.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
