[TriLUG] OT: Router vs Firewall, Was: OT: strange happenings - self booting server?

William Sutton william at trilug.org
Fri Apr 14 12:23:19 EDT 2006 

For those of us interested in learning more but who had no clue what you 
just said (>me<)...could you kindly translate? :)

-- 
William Sutton


On Fri, 14 Apr 2006, Ryan Leathers wrote:

> Brian,
> 
> NAT does not give you stateful inpection.  Imagine the example of shell
> shoveling.  Through some exploit, an outbound connection is made from
> your network, through the NAT, to some destination.  Said exploit
> permits a shell to be tossed at the destination so the remote attacker
> now has an interactive connection right through your NAT.  (People
> sometimes use netcat to do this, thwarting the office security policy)
> Obviously, preventing the exploit in the first place is desirable, but
> if you are using a stateful firewall there is an excellent chance you'll
> be protected from this kind of exploit.
> 
> Ryan
> 
> On Fri, 2006-04-14 at 10:48 -0400, Brian Henning wrote:
> > Okay, since there's still a lot I have to learn, I'll ask the question:
> > 
> > What do you gain from having a firewall behind a NAT router with no port 
> > forwards?  Speaking only in terms of inbound protection, of course. 
> > Obviously a firewall can filter traffic in both directions.  Can one not 
> > depend on a forwardless NAT router to simply drop all incoming 
> > connection attempts?  Are there packets, or methods of connecting, that 
> > can somehow sneak through such a NAT setup and reach machines on the inside?
> > 
> > In all the networks I administer, firewall + router is the standard 
> > operating procedure, so I'm just interested in more of the reasons why 
> > it's a good idea (that is, I don't need any convincing to start doing it).
> > 
> > As always, both lengthy explanations and links to reading material are 
> > appreciated equally. :-)
> > 
> > Cheers,
> > ~B
> > 
> > P.S. A linux box with iptables configured on the "reject everything but 
> > _____" principle counts as "good," right? :-)
> > 
> > 
> > 
> > Cristobal Palmer wrote:
> > > So the backstory is that we (Brian + Cerient) ate lunch, and I told
> > > Brian about this... *ahem* ...friend of mine who insisted to me that a
> > > router is always a firewall. When I say insisted, I mean he followed
> > > me after I'd gotten up and left the room. I mean he emailed me the
> > > next morning to follow up on his insistence.
> > > 
> > > I... uhh... have some weird friends. Seriously though, get a good
> > > firewall everybody. The internets are dangerous.
> > > 
> > > Vice-chair-ily yours,
> > > CMP
> > > 
> 
>

More information about the TriLUG mailing list