tech-net: Re: Ye olde PR #991 - packets destined for interface IP# are accepted regardless of which interface they arrive on.

Subject: Re: Ye olde PR #991 - packets destined for interface IP# are accepted regardless of which interface they arrive on.
To: Andrew Brown <atatat@atatdot.net>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-net
Date: 05/07/2000 21:58:05

>>>>> "Andrew" == Andrew Brown <atatat@atatdot.net> writes:
    Andrew> i'll grant you that, but it's still much harder to break a proxy so
    Andrew> that it accidentally forwards every connection attempt.  packet
    Andrew> filters can be easily broken (by clueless personnel) such that they
    Andrew> *do* forward too much.
    >> 
    >> Yes, I agree completely. However, they promote NAT (BlackHole was the
    >> first proxy based firewall that gave you option not to do NAT), and they
    >> totally kill IPsec. I've repented, since I like IPsec more than I like
    >> proxies :-)

    Andrew> maybe i'm not understanding your position...but you seem to advocating
    Andrew> proxied services.  with proxied services, nat is not necessary; with
    Andrew> filtered forwarding, it may be (for, eg, load balancing ala local
    Andrew> director).

  If you proxy services, then the address that a web server see is the
address of the proxy server, not that of the real client. Since a proxy
server will usually allocate new ports, a proxy based server is mostly
indistinguishable from a NAPT.

    Andrew> as for nat, i *don't* promote nat.  it breaks *anything* that expects
    Andrew> to be able to look at the remote (or even local in some cases) address
    Andrew> and use it in the protocol (eg, ftp, dcc, and in another way, dnssec).

  Agreed.

    Andrew> what i've done in the past is write separate rules for inbound
    Andrew> connection attempts (and udp transactions) all with "keep state" and
    Andrew> then then a rule that allows tcp (and udp) out with "keep state",
    Andrew> thereby keeping everything flowing nicely, but keeping out (and
    Andrew> tracking) anything i don't want.

  It works really well for two interface firewalls, but gets somewhat
combersome when you have three or four interfaces. Groups makes it a lot
easier, but it could still be easier again...

   :!mcr!:            |  Solidum Systems Corporation, http://www.solidum.com
   Michael Richardson |The Internet Packet Processing Company. At Interop LV2000
 Personal: mcr@sandelman.ottawa.on.ca. PGP key available.
 Corporate: <A HREF="mailto:mcr@solidum.com">mcr@solidum.com</A>.