[Dshield] NAT: Secure?

Micheal Patterson micheal at cancercare.net
Thu Aug 28 23:38:02 GMT 2003

----- Original Message ----- 
From: "Alan Frayer" <afrayer at frayernet.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Thursday, August 28, 2003 5:33 PM
Subject: Re: [Dshield] NAT: Secure?

> On Thu, 2003-08-28 at 18:07, Micheal Patterson wrote:
> > >
> > > Would you put the firewall on the outside of the NAT, or on the
> > That would depend on the scenerio. If you have more than one real IP
> > you can use, put it outside. If you don't have the IP's to spare, put it
> > directly behind the NAT before the LAN switch / Hub.
> >
> Funny you would say that, as most broadband routers w/NAT that I've seen
> provide one WAN input, then use a built-in hub to distribute the routed
> traffic...
> However, I got into the broadband idea early, and the NAT is actually
> provided by a simple gateway, with a WAN side and a LAN side. Your
> suggestion, then, is to put the firewall between this gateway and my hub
> or switch. Any suggestions toward a firewall on a small budget? As you
> might guess from my signature, I'm not actually very well heeled at the
> moment.
> ________________________________________________________________________
> Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
> Seeking an IT Mgmt/Network Admin position in the Tampa Bay Region
> If you would like to discuss an opportunity with me, please e-mail.

Most of those with built in switches will, as I understand it, have a path
as lan <> switch <> NAT <> Firewall <> WAN Port but  I'm not certain that is
the actual path as I don't personally use them.  What I personally use, is
an old PC with FreeBSD on it, dual nic'd. Crossover from one nic to my cable
modem port so that the BSD box has the real IP, have an internal nick with a
192.168.x.x ip that connects to my 100mb switch, and the rest of the
internal systems connect to the switch. I then configure NAT and IPFW on the
FreeBSD box. Linux or any *nix flavor can do this just as well. This setup
works well for me as all traffic runs through the firewall and is then
diverted to NAT at the first firewall rule, then NAT reinjects the packet
back into the firewall for any additional processing at the next rule.
Provided you have the hardware available, even a 386 with 64mb ram would do
the trick, this is an inexpensive way to do this.


Micheal Patterson
Network Administration
Cancer Care Network

More information about the list mailing list