On 31.07.2006, at 23:39, Martijn Lievaart wrote:
former03 | Baltasar Cevc wrote:
On 31.07.2006, at 15:44, Pascal Hambourg wrote:
I just don't see how it is different whether you have NAT/MASQUERADE
or not. To me filtering and NAT in iptables are fundamentally
independent.
Sure, they are. However, if I nat, I can make the following
assumption:
there are no (valid) packet addressed to internal addresses on eth0.
Which is something I can't assume when I don't have NOT. WIthout that
assumption, I cannot prohibit as much as I can when I assume that.
A very dangerous assumption. We're talking about NAT for outgoing
connections. Incomming connections are still possible if someone
controls the routing up to your box. I would NEVER base my secority on
that assumption where security matters (so for a home setup it's fine,
but otherwise not).
Aparently we misundestood each other. I did not talk about the
assumption that such packets never come there, on the contrary, I make
the assumption that these packets are bad, so I should filter them out.
However, one thing I 'relied on': in case the packet filter fails (we
should always consider failure, although at least the software part -
netfilter - is really stable, no need to argue about the latter) for
whatever reason, it is better at least not to listen to the external IP
so that in the case the provider does filter (which it should), it
would at least be impossible to connect from anywhere except the local
part of the wan and the lan. Which will significantly reduce the
dangers.
Baltasar
--
Baltasar Cevc
_____ former 03 gmbh
_____ infanteriestraße 19 haus 6 eg
_____ D-80797 muenchen
_____ http://www.former03.de
