[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian ISOs

Selon "Bernhard R. Link" <brlink@debian.org>:

> > They don't work well if there's NAT[1] involved, you wanted to say.
> Blocking incoming connections is a common and good starting points for
> every firewall setup.

This is only meaningful if there are any open ports by default. Quite many
Linux distributions have all ports closed by *default* after installation. If
root installs some software that happens to open ports, I tend to believe that
(s)he actually intends these ports to be opened (since the installed
application would likely need these to operate).

Whether this is still true for Debian, since it does not suffer the
reinstall-needed-every-six-month plague. It was not true for Woody though :(

> That NAT makes this mandatory does not change the
> fact that protocols needing listening ports are a security hole many
> people do not like to introduce.

Any additionnal software comes with associated risks. If you can't accept
them, don't install the software. And if you can't prevent others from
installing them, use a stateful firewall or setup a non-routed-with-proxies

I would never rely on the NAT function of my Internet gateway for this
purpose. NAT implementations are completely inconsistent, and quite many of
them are much more easy to dig hole through than a real firewall.

> > Do I need to point out a wonderful opportunity to push in some IPv6
> > propaganda?
> One of the nice features of NAT is that it adds another layer of
> security if your firewall contains a "no incoming connections" part:

If there are already no incoming connections, the only security
"feature" the NAT might possibly boast (though I consider it a side effect
rather than a feature) is network topology hiding.

> If everything fails there still has to be some mechanism to translate
> the intern IPs to extern addressable.

This is indeed mostly true. And while any sane firewall should fail closed, it
is typically not the case with Linux/NetFilter/iptables because not every
Linux box is a firewall.

However this security fallback depends on the upstream router (or any box that
can send packets to the public interface of the NAT) being trustworthy: should
it ever send your NAT a packet with a "intern IP" as destination, the NAT will
be happy to forward it inside.

> So I hope someone will still make it available with IPv6...

IPv6 stateful firewalls already exist (e.g. Linux 2.6.16).

IPv6 NAT is a very bad idea. What is the point of investing billions into IPv6
transition if you reintroduced problems that it is supposed to fix (NAT) in
the first place?

Remi Denis-Courmont

Reply to: