RE: firewalling behind NAT?

[Scott Stone <SStone@example.com>]

yes, default drop and then add in things to accept is, in my view, the
Correct Way to Do Things.  I can send you an iptables script to do that.

If you're running 7.1 and using ipchains, especially if that's the default
redhat way of doing things, someone at RH needs to be bonked on the head
repeatedly... with 2.4, you use iptables... no real reason not to.

-----------------------------------------------------
Scott M. Stone <sstone@example.com>
Senior Technical Consultant - UNIX and Networking
Taos, the Sysadmin Company - Santa Clara, CA


-----Original Message-----
From: Thomas O'Dowd [mailto:tom@example.com]
Sent: Monday, May 21, 2001 8:17 AM
To: tlug group
Subject: firewalling behind NAT?


Hi,

Quick question, do you need to use a firewall if you are behind a NAT
router? Ie, my machine has a non-routable ip address and the gateway
is a separate box (in this case, an ADSL router) on the LAN. I filter all
open ports on the router to only accept incoming connections to the router
on the internal interface. Quick port scan from the outside confirmed this.
Since I'm not really filtering anything else right now, can a cracker
somehow find away through my router to a NAT'd machine on the inside? I
don't think so, but I could be wrong?

Also, just installed RH7.1 and think it is kinda wierd that they start
with ipchain policies of accept and add explicit things to drop rather
than a policy of drop and the other way round, which is probably the
way that I would do it.

Cheers,

Tom.
-- 
Thomas O'Dowd. - Nooping - http://nooper.com
tom@example.com - Testing - http://nooper.co.jp/labs

-----------------------------------------------------------------------
Next Technical Meeting:  Sat, May 12 13:30- 
Next Nomikai Meeting:    Fri, June (TBA) 19:30- Tengu Tokyo Eki Mae
-----------------------------------------------------------------------
more info: http://www.tlug.gr.jp           Sponsor: Global Online Japan