Re: [fw-wiz] re: NAT for a simple network

From: R. DuFresne (
Date: 08/16/03

  • Next message: Frank Knobbe: "RE: [fw-wiz] Blocking MS Blaster --> filter outbound access"
    To: "Robert E. Martin" <>
    Date: Fri, 15 Aug 2003 18:06:21 -0400 (EDT)

    On Fri, 15 Aug 2003, Robert E. Martin wrote:

    > "in general, you should verify packets are
    > not allowed to the device from the big bad Internet. you may also want to
    > only allow local access from select IP addresses or subnets."
    > So if I deny all from the outside coming in and allow all from the
    > inside to go out, I should have the beginnings of a secure
    > firewall.?!??!! This is not to say that it is a catch all but a start.
    > Perhaps add rule stating only the internal subnet goes out and to deny
    > all others. As I stated before, this is a simple network, no services
    > coming in from the outside, just internet access for the subnet inside
    > and dhcp running on the gateway.
    > Thanks to all that replied to this original post. This is a valuable
    > resource to me. Thanks again!!

    Becareful here, it's not deny all from the outside, in this case, it's
    only allow backin what started from the inside out, thus you need to keep
    state. Those rules posted earlier looked like iptables or ipfw kind of
    rules, and those are 'stateful' enough to suit the purpose here. If you
    simply do not allow anything inside from the outside, then your users will
    hate you <smile>, as they will connect, and then sit, and sit, and sit
    <seeing nothing>...


    Ron DuFresne

            admin & senior security consultant:
    "Cutting the space budget really restores my faith in humanity.  It
    eliminates dreams, goals, and ideals and lets us get straight to the
    business of hate, debauchery, and self-annihilation."
                    -- Johnny Hart
    testing, only testing, and damn good at it too!
    firewall-wizards mailing list

  • Next message: Frank Knobbe: "RE: [fw-wiz] Blocking MS Blaster --> filter outbound access"