Volker Kuhlmann wrote:
As a side effect of the NAT-first, you can *NOT* limit access based on
the dest port of the incoming packet, as that has already been NATed
into oblivion by the time the packet reaches the filter rules.
Ah, ok, yeah you're right on that. But that's useless. Who cares what
the destination port was prior to NAT? That only matters if you open
up, say, port 88 and 888 on the WAN, going to the same internal host on
the same internal port, say port 80 internally. If you're going to let
some IP get to that internal machine's port 80, who cares if it can get
to it via port 88 and 888 from the WAN rather than just one of those?
The best that could possibly provide you is a little obscurity in some
very odd, uncommon scenarios.
Can you give me an example of a legit need for this, that isn't some
poor attempt at security through obscurity?
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]