[Dshield] [DShield] Thanks Brian

Håkon Alstadheim hakon at alstadheim.priv.no
Sat Aug 13 10:50:15 GMT 2005


Aaron Lewis wrote:
>Mike, I don't believe there is any need for panic here. As you saw your IP
>address is public to anyone who cares. Stealthing or filtering ports, as
>your firewall is doing, is a much better defense. NAT in and of itself does
>nothing more than allow you to run several machines on one public address. A
>simple port scan will reveal any services that are permitted into your
>network.
>
>  
Any NAT'ing router will obviously also protect itself from the external 
net, e.g. by not allowing prings to itself from the outside. It will 
also need to drop packets that are obvously spoofed. Other than that NAT 
in and of itself will hide whatever is inside, on the private side, so 
that attackers can not route an attack directly to the inside. If some 
process on an internal machine connects to some malware site, or is 
running a root-kit, bad things will be allowed to happen unless a 
firewall is explicitly blocking those ports from starting TCP 
connections from the INSIDE. This is the part where NAT will not help, 
but then you are already stupid and/or 0wn3d.
>Not being able to ping something is a result of filtering ICMP and as was
>mentioned, most firewalls do this by default OR allow you to turn it on very
>easily.
>  
Any ICMP reply an outsider got would be from the router, not from a 
machine on the private side.
>Now I have a question, didn't this thread begin because you were asking
>about NATing a web server with load balancers? SO are we talking at the
>engineer level or are you a home user?
>  

-- 
Håkon Alstadheim 	+47 74 82 60 27
7510 Skatval



More information about the list mailing list