[Dshield] [DShield] Architecture approach

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Fri Aug 12 04:44:27 GMT 2005


On Thu, 11 Aug 2005 22:59:30 CDT, Mike Wydra said:
> If we're talking about the same thing; I love my NAT. It's doing a fine job
> of hiding my IP address, and blocking all the crap that's trying to enter my
> machine.

The only reason your NAT does any job of blocking stuff is because most NAT
boxes also implement firewall rules as well.  You'd get the exact same security
with a Linux box that did an iptables:

iptables -a INPUT -m state --state RELATED -j ACCEPT
iptables -a INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -a INPUT -j DROP

(Basically, if it's related to a packet you sent, accept it, otherwise drop it).
The Windows XP SP2 firewall does the rough equivalent as well.  And there's no
rule writing involved for the XP or Fedora firewall ruleset either (I haven't
checked into what other Linux distros do for iptables config at install time).

And the fact that it hides your IP address is considered by many to be the
innate evil of NAT, because it makes a lot of otherwise reasonable things
a lot more difficult - there's twice as many RFCs on "how to make XYZ work
through a NAT" as there are actually about NAT.

http://www.cs.utk.edu/~moore/what-nats-break.html is a good write-up of
all the stuff that doesn't work when a NAT gets involved...

(And note that a NAT doesn't do as good a job of hiding your address as you
might think - there's been a lot of very good work on enumerating the hosts
behind a NAT, even if you don't leak the information out yourself...)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20050812/7b3f0c78/attachment.bin


More information about the list mailing list