security without NAT?

Chuck Swiger cswiger at
Sun Feb 27 23:58:17 GMT 2005

Stevan Tiefert wrote:
[ ... ]
> I understand that if these workstations wants to request answers from
> outside the private network are never getting answers, but is it possible
> to see and attack theses workstations from outside?

If you avoid configuring a default route on the local machines, and require 
them to access any remote services via a subnet-local proxy on this gateway, 
it will help security significantly.

However, you need to take a great deal of care with the gateway machine even 
if you disable NAT on it, for reasons someone else just mentioned.  Also, and 
in particular, you need to block the loose and strict source-routing IP option 
via a firewall, or else someone who knows what they are doing can still get 
traffic into your local subnet.


More information about the freebsd-questions mailing list