Re: [fw-wiz] re: NAT for a simple network

From: R. DuFresne (dufresne_at_sysinfo.com)
Date: 08/16/03

  • Next message: Frank Knobbe: "RE: [fw-wiz] Blocking MS Blaster --> filter outbound access"
    To: "Robert E. Martin" <rmartin@fishburne.org>
    Date: Fri, 15 Aug 2003 18:06:21 -0400 (EDT)
    
    

    On Fri, 15 Aug 2003, Robert E. Martin wrote:

    > "in general, you should verify packets are
    > not allowed to the device from the big bad Internet. you may also want to
    > only allow local access from select IP addresses or subnets."
    >
    >
    >
    > So if I deny all from the outside coming in and allow all from the
    > inside to go out, I should have the beginnings of a secure
    > firewall.?!??!! This is not to say that it is a catch all but a start.
    > Perhaps add rule stating only the internal subnet goes out and to deny
    > all others. As I stated before, this is a simple network, no services
    > coming in from the outside, just internet access for the subnet inside
    > and dhcp running on the gateway.
    > Thanks to all that replied to this original post. This is a valuable
    > resource to me. Thanks again!!
    >

    Becareful here, it's not deny all from the outside, in this case, it's
    only allow backin what started from the inside out, thus you need to keep
    state. Those rules posted earlier looked like iptables or ipfw kind of
    rules, and those are 'stateful' enough to suit the purpose here. If you
    simply do not allow anything inside from the outside, then your users will
    hate you <smile>, as they will connect, and then sit, and sit, and sit
    <seeing nothing>...

    Thanks,

    Ron DuFresne

    -- 
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
            admin & senior security consultant:  sysinfo.com
                            http://sysinfo.com
    "Cutting the space budget really restores my faith in humanity.  It
    eliminates dreams, goals, and ideals and lets us get straight to the
    business of hate, debauchery, and self-annihilation."
                    -- Johnny Hart
    testing, only testing, and damn good at it too!
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Frank Knobbe: "RE: [fw-wiz] Blocking MS Blaster --> filter outbound access"

    Relevant Pages

    • Re: Routing and RRAS Problem - Pleasehelp
      ... Traffic from your "internal" subnet can get ... out to the Internet by default routing, but the return traffic will fail. ... You need to add an extra route to the Linksys router so that it knows how to ...
      (microsoft.public.windows.server.networking)
    • Re: Problem with IPSEC
      ... rules like this work on an internal subnet. ... addresses or even a subnet on the internet it doesn't work. ... Turn off IPSEC. ... yes ipsec filters are weighted such that a specific rule ...
      (microsoft.public.windows.server.security)
    • Re: Routing and RRAS Problem - Pleasehelp
      ... use RRAS but if will fail I will run RRAS server as NAT Router, ... Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net ... Traffic from your "internal" subnet can get ... You need to add an extra route to the Linksys router so that it knows how to ...
      (microsoft.public.windows.server.networking)
    • ADL wants to regulate the internet to stop "hate"
      ... U.S. House Briefed on International Cooperation on Internet Hate ... OSCE Conference on Hate on the Internet in Paris in June 2004, ... industry and advocates could partner to curb online hate. ...
      (soc.culture.malaysia)
    • ADL Expert Tapped To Lead International Network Against Cyber Hate
      ... ADL Expert Tapped To Lead International Network Against Cyber Hate ... combat hate online has been tapped to lead the world's foremost ... Wolf, the longtime Chair of ADL's Internet Task Force and Partner, ... from academia, government, law enforcement and non-governmental ...
      (alt.true-crime)