Re: Newbie, someone have how-to on from-scratch Debian firewall?
On Tue, Nov 07, 2000 at 05:04:39AM -1000, Brian Russo wrote:
> hm if you're using private addressing and doing NAT/PAT ?
> well obviously you can't do that transparently because .. it has no network
> address, the fw that is.
Sure.
> i don't see how it makes your internal sites more open to attack if
> you're using global's, as you can still apply pretty much the same fw ruleset.
Let's say I run some server behind my firewall and a proxy on my
firewall. In this situation an attacker either has to take over the
firewall, or he/she has to find a way to attack my server through my proxy.
If I just route packages to my server (and this includes port forwarding
which is often used in NAT environments) the attacker can attack my server
directly.
A pretty good exapmle is ftp. Client suffices, no need to run a server.
There are exploits known for active and passive ftp so that your average
script kiddie can open a hole in your firewall in seconds even in a
masquerading environment. So your setup seems to be even easier to break
into.
Michael
--
Michael Meskes
Michael@Fam-Meskes.De
Go SF 49ers! Go Rhein Fire!
Use Debian GNU/Linux! Use PostgreSQL!
Reply to: