[Dshield] [DShield] Thanks Brian

Brian Dessent brian at dessent.net
Sat Aug 13 11:24:38 GMT 2005


Håkon Alstadheim wrote:

> Other than that NAT
> in and of itself will hide whatever is inside, on the private side, so
> that attackers can not route an attack directly to the inside. If some
> process on an internal machine connects to some malware site, or is
> running a root-kit, bad things will be allowed to happen unless a
> firewall is explicitly blocking those ports from starting TCP
> connections from the INSIDE.

That is a very nice side effect of most NAT implementations, but you
can't lay the praise on NAT for this.  It is the result of a stateful
firewall, and the same effect can be achieved without any NAT.  Iptables
commands to implement this have already been given elsewhere in this
thread.

Further, you can have NAT that doesn't block unsolicited incoming
connections -- essentially every port forwarded -- but still have
address translation taking place.  So it is unfounded to lay praise on
NAT when in fact it just happens that NAT and stateful firewalling are
so often used together.

Brian



More information about the list mailing list