security without NAT?
Chuck Swiger
cswiger at mac.com
Sun Feb 27 23:58:17 GMT 2005
Stevan Tiefert wrote:
[ ... ]
> I understand that if these workstations wants to request answers from
> outside the private network are never getting answers, but is it possible
> to see and attack theses workstations from outside?
If you avoid configuring a default route on the local machines, and require
them to access any remote services via a subnet-local proxy on this gateway,
it will help security significantly.
However, you need to take a great deal of care with the gateway machine even
if you disable NAT on it, for reasons someone else just mentioned. Also, and
in particular, you need to block the loose and strict source-routing IP option
via a firewall, or else someone who knows what they are doing can still get
traffic into your local subnet.
--
-Chuck
More information about the freebsd-questions
mailing list