Thread: Re: How did they get past my NAT?
View Single Post
  #38 (permalink)  
Old 10-17-2007, 11:42 AM
Leythos
Guest
  
Posts: n/a
Default Re: How did they get past my NAT?
In article <kdhRi.33209$%B2.7020@edtnps82>, unruh-spam@physics.ubc.ca
says...
> Leythos <void@nowhere.lan> writes:
>
> >In article <KacRi.33135$%B2.844@edtnps82>, unruh-spam@physics.ubc.ca
> >says...
> >> The question was not whether NAT was a firewall function but whether NAT
> >> with no port holes punched through was effectively a firewall allowing no
> >> unsolicited incoming traffic.
> >>
> >> Is there a way in which a NAT router, with no holes punched through, is
> >> more insecure than a firewall which rejects all unsolicited incoming
> >> traffic? If you claim it is more insecure, please tell us why.
>
> >And you're all wet because a firewall protects in both directions.
>
> Protects what in both directions? We are talking about and outsider
> attacking a machine behind the NAT/firewall. What is the relevance of "both
> directions" to the issue at hand?

You don't appear to know about "both directions" and in many cases you
don't allow ALL OUTBOUND, in fact, there is little reason to allow all
outbound and it's a bad rule to use ALLOW ANY > EXTERNAL.

I never allow TCP 1433 or TCP 1434 or TCP 135-139 or TCP 445 outbound on
networks. I might only allow SMTP outbound from 1 IP in the LAN and I
might want to block outbound connections except from a small range of IP
in the LAN but not in the DMZ - a firewall can do that, your home NAT
ROUTER can't.

What about the DMZ network? Most NAT Routers have the option - but most
of them don't actually setup/use a DMZ network, it's just an IP on the
LAN that gets ALL traffic not forwarded to some other area - which means
it's NOT a DMZ and it's not protected from/to the LAN - A firewall
doesn't make that mistake.

--
Leythos - spam999free@rrohio.com (remove 999 to email me)

Fight exposing kids to porn, complain about sites like pcbutts1 that
create filth and put it on the web for any kid to see: Just take a look
at some of the FILTH he's created and put on his website:
http://forums.speedguide.net/archive.../t-223485.html all exposed
to children (the link I've include does not directly display his filth).
You can find the same information by googling for 'PCBUTTS1' and
'exposed to kids'.

Reply With Quote