On 30.07.2006, at 22:04, Pascal Hambourg wrote:
former03 | Baltasar Cevc a écrit :
You're right, of course - I thought of a firewall situation with NAT -
Why ? What is the difference with or without NAT ?
You can filter out all incoming packets to local IP addresses on the
wan interface before NAT is done; if you just use MASQUERADE for
outgoing packets, "iptables -A INPUT -i eth0.-d 192.168.0.0/16 -j
DROP".
Granted, if filtering breaks that does not help, but in case of an
attacker who is not on the same physical network as the WAN interface
it will probably break with the other listen address as he will hardly
manage to get the packets routed to the host.
Baltasar
--
Baltasar Cevc
_____ former 03 gmbh
_____ infanteriestraße 19 haus 6 eg
_____ D-80797 muenchen
_____ http://www.former03.de
