[Dshield] [DShield] Thanks Brian

Aaron Lewis aaron at adldatacomm.net
Sat Aug 13 00:27:03 GMT 2005


Mike, I don't believe there is any need for panic here. As you saw your IP
address is public to anyone who cares. Stealthing or filtering ports, as
your firewall is doing, is a much better defense. NAT in and of itself does
nothing more than allow you to run several machines on one public address. A
simple port scan will reveal any services that are permitted into your
network.

Not being able to ping something is a result of filtering ICMP and as was
mentioned, most firewalls do this by default OR allow you to turn it on very
easily.

Now I have a question, didn't this thread begin because you were asking
about NATing a web server with load balancers? SO are we talking at the
engineer level or are you a home user?

ADL

> -----Original Message-----
> From: list-bounces at lists.dshield.org
> [mailto:list-bounces at lists.dshield.org]On Behalf Of Mike Wydra
> Sent: Friday, August 12, 2005 8:07 PM
> To: General DShield Discussion List
> Subject: [Dshield] [DShield] Thanks Brian
>
>
> Brian Dessent wrote:
> >How exactly does NAT hide anything?  The address translation
> is local to you >and you alone.  To every other machine on
> the internet you have a regular >non-rfc1918 IP address.  No
> machine will see your NATed address.
>
> Gee, thanks Brian - it was really "swell" of you to post my
> name with my IP address on this public list. Hope I can
> return the "favor" some day.
>
> Johannes B. Ullrich wrote:
> >I think we are mixing up two issues here:
> >- NAT: Lots of people use it to share a single routed IP
> address among
> >several hosts. It will also make it harder to directly
> address (=target)
> >a system on the local network.
>
> Thank-you Johannes - this IS what I was talking about, and
> now I know that there are two different NAT issues. As I've
> stated many times - I'm an average "home user," and I think
> there are a lot of other people on this list that are in the
> same boat that I am. We are NOT running servers, so we don't
> tend to have port 80 wide open to the world. In fact - we
> don't want ANYBODY coming into our machines, unless we invite
> them in. We are on this list in an attempt to learn how to
> protect ourselves from all the freaks out there. In return
> (at least in my case), we will do what we can to help the
> cause. However, most of the stuff your talking about is way
> over our heads. So hey - I'm sorry if I used the term "NAT"
> wrong. By saying "NAT," I'm talking about my $40 Microsoft
> Basestation. It does a fine job of stealthing ALL of my
> incoming ports, so if some clever JERK does read my IP
> address from the headers I send out, they will not be able to
> enter my machine. As I understand it - the "jerk" can ping my
> machine all day and it won't respond. Sounds good to me...
>
> My second line of defense is my software firewall, which is
> backing up my basestation, and blocking any "call home to
> mommy" crap that might be on my machine. Isn't this the
> "layered defense" that you guys are talking about?? Or did I
> get that wrong too... Anyway - that's my understanding of
> NAT. It works great for me, and that was my point.
>
> Mike Wydra
>
>
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list