Historiadores acreditam que, em Sex 08 Jun 2007, Will Murnane disse: > Name a case in which firewalling does not suffice. I'm curious to see > what your answer will be.
Sometimes there are ways to bypass firewalls. With NAT, even if you circumvent the firewall your internal addresses are still unreachable. If you have a valid /24 network, bypassing the firewall leaves your entire network on the wild. You can argue that all nodes should have local/application firewalls like ZoneAlarm and you can use internal firewalls between zones and blablabla... But in this case the complexity would be so overwhelming that it would be simpler to build a single good old crappy NATed firewall. Of course a real skilled hacker would break into the NAT router first and, once having access to a shell inside the router, connect to your local network directly. He can even use the compromised router as a redirector with a little help from my friend NetCat. But if you're compromised this far there is something wrong with your security policy... That said, I agree with you: in some cases, NAT sucks. -- Henrique Cesar Ulbrich [EMAIL PROTECTED] ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
