Okay, since there's still a lot I have to learn, I'll ask the question:
What do you gain from having a firewall behind a NAT router with no port
forwards? Speaking only in terms of inbound protection, of course.
Obviously a firewall can filter traffic in both directions. Can one not
depend on a forwardless NAT router to simply drop all incoming
connection attempts? Are there packets, or methods of connecting, that
can somehow sneak through such a NAT setup and reach machines on the inside?
In all the networks I administer, firewall + router is the standard
operating procedure, so I'm just interested in more of the reasons why
it's a good idea (that is, I don't need any convincing to start doing it).
As always, both lengthy explanations and links to reading material are
appreciated equally. :-)
Cheers,
~B
P.S. A linux box with iptables configured on the "reject everything but
_____" principle counts as "good," right? :-)
Cristobal Palmer wrote:
So the backstory is that we (Brian + Cerient) ate lunch, and I told
Brian about this... *ahem* ...friend of mine who insisted to me that a
router is always a firewall. When I say insisted, I mean he followed
me after I'd gotten up and left the room. I mean he emailed me the
next morning to follow up on his insistence.
I... uhh... have some weird friends. Seriously though, get a good
firewall everybody. The internets are dangerous.
Vice-chair-ily yours,
CMP
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
