Simon Hobson wrote:
>
> What's the difference, security wise between :
> DNAT net loc:a.b.c.d
> and
> ALLOW net loc:a.b.c.d
> assuming you have a default policy net->loc of drop ?
>
Simon,
It's a huge difference. RFC 1918 packets are not routable. Thus,
even if your firewall drop rule failed, the chance of easy NAT traversal
is pretty slim if the admin of the gateway machine has been smart about
what services are exposed.
You do not have that advantage if you are firewalling a LAN
comprised of routable IPs.
--
Michael Cozzi
[EMAIL PROTECTED]
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
