Re: home network behind NAT and firewall ?

From: Gerald Vogt (vogt_at_spamcop.net)
Date: 02/21/05 

Date: Mon, 21 Feb 2005 10:08:18 +0900

> Sure you do, you run the risk of having something improperly configured
> and fully exposing your network. I joined a company years ago, they were
> an engineering firm, they kept loosing jobs to other firms. Their network
> was based on Windows 2000 workstations and Novel servers. All machines had
> a public IP and they figured since everything was based on Novel that they
> were safe - WRONG. As it turns out, many people would copy files from the

You are comparing completely different things. Having a public IP
address does not mean that you do not have a firewall in place that you
have to configure properly. A NAT would not help here either because
this, too, you have to configure properly. If you don't put in a
firewall, it is your own fault. But we were not talking about that.

> I have never seen a mapping problem with NAT devices, in fact, since we do
> NAT for all of our clients networks I can honestly say that it works
> beautifully.

That is the problem: you don't notice when it is not working. Maybe you
click on a web page and your answer is not coming. You press reload and
it opens a new connection and it works fine. The problem is not obvious.
If it works 99% of the time you will hardly notice the 1% in particular
in interaction with the internet where things often do not work
properly. There is the potential...

> The weakness is in assuming that having a packet filter always properly
> configured. When I setup a company with a private address space behind 12

That is correct for NAT routers and firewall routers.

> PUBLIC IP's, they only map the first 11 IP's to public servers if needed,
> and then it's not all ports, just the specific ports that are necessary -
> in many cases it only takes 2 or 3 IP to setup mail, ftp, web, demo space,
> and VPN. I would rather only map a few ports from a few IP to public
> servers than to create rules to filter 200 public IP to 200 internal
> computers based on what those systems need.

Sorry. But what is so hard about a rule "DENY ALL" and then configure
specific "ALLOW"s? You do exactly the same with private or public IP
addresses. You configure which ports you actually want let through. You
don't configure 200 rules, you configure _exactly_ the same except you
do not have to provide the explicit mapping of the incoming connection
to servers because that is obviously not required. There is absolutely
no difference here. It seems as if you never actually configured a
firewall if you think that for 200 public IPs you have to write rules
for each and everyone. You can do that if you like specific rules for
what computer may do in out-bound direction but even then you create
proper classes and assign computers to classes. In the in-bound
direction you have the same: if you want a mail server accessible you
have to open the port. On NAT you have to tell the private IP address of
the server. With a public IP address you open the smtp port on the IP
address of the mail server.

> NAT) it would have worked by default. The difference is that a
> misconfigured firewall, or an unfinished configuration, will not expose
> internal services until it's properly setup.

This is always the problem. Misconfiguration is no different with NAT or
without. If people put in a DMZ in your NAT to play internet games, it
is misconfiguration exposing the whole machine. Even worse, if your
router does not assign fixed IP addresses but always uses DHCP (like my
linksys) it may even be if you turn off your computer in the evening and
in the morning your wife turns on here she may end up on the DMZ IP
address... There are always tons of possible misconfigurations. It is
useless to argue about where could be worse misconfigurations. This
would require proper research about classes of misconfigurations and
their impacts, etc.

But for normal proper configuration there is no difference: you block
everything in-bound and then allow specific ports/port-forwardings.

Gerald

Relevant Pages

  • Re: uart_match_port() question
    ... > The reason is a bit complicated, but basically, we have some arch code ... > and what speed it's been configured for and builds a proper config line to ... > This list includes however ports that are on PCI devices on some recent ... The consequence is that changing the firmware configuration changes the ...
    (Linux-Kernel)
  • SP2 gigabit ethernet problems
    ... However I did find drivers at both XpeFiles ... When I build a configuration with either of these drivers the system ... "ipconfig" command shows 0.0.0.0 as the IP address for active ethernet ports. ...
    (microsoft.public.windowsxp.embedded)
  • Re: FreeBSD 6.0: Problem with network, doesnt use default gateway
    ... The problem you are having is more likely in the router you are using, but without that configuration info, it's impossible to tell. ... <ACPI PCI bus> on pcib0 ... 2 ports with 2 removable, ... configured irq 4 not in bitmap of probed irqs 0 ...
    (freebsd-questions)
  • Re: getting dialup networking to work on FC4
    ... > The modemlights utility didn't work because it wanted to bring up a ppp0 ... and that's not how neat created the configuration (it named ... And is there some other proper way to enable IP ... naming the ppp connection with the name of the ppp service is ...
    (Fedora)
  • Re: MicroVAX 3500 questions
    ... Behind the CPU panel there is a white battery attached to the PCB ... There are no cables going to these ports and there ... It's an inconvenience but the system will boot without it. ... Try SHO DEV or SHO ALL to list its hardware configuration. ...
    (comp.sys.dec)