From: Francesco Ciocchetti <primero@fastwebnet.it>
To: iml@zip.com.au,
"netf >> \"Netfilter lista (iptables)\""
<netfilter@lists.netfilter.org>
Subject: Re: philosophical question regarding NAT
Date: Tue, 10 May 2005 15:11:48 +0200 [thread overview]
Message-ID: <4280B314.6090701@fastwebnet.it> (raw)
In-Reply-To: <1115723584l.29661l.0l@server.moose.blogdns.org>
Ian Laurie wrote:
>
> which enforces NAT, ie, only NATed things can get through. While you
> can achieve the same thing by setting policy of FORWARD to DROP and
> allowing only RELATED and ESTABLISHED stuff through (which I do)
> I am surprised I have not seen this PREROUTING rule used more often as
> a safety measure.
>
> It doesn't seem to break anything, does anyone know why this technique
> isn't seen more often?
>
> Ian
>
>
It does not break anything to put a DROP Target Rule in Prerouting Chain
of nat table , but it should be done not because of a ... convention :)
i mean , there are 3 Tables ok? and each of them has its scope.
NAT for Address Translations.
FILTER for filtering packets.
MANGLE for dealing with packet flags and so on ...
Why DROPPING in NAT Table instead of doint this in its chain ? i don't
think is a Performance Issue ... ok, Dropping as soon as possible can
reserve some resources, but do you really need to reserve these ? how
many rules u have ?
Use Tables for what is its scope because of Packet Traversing Scheme and
Flow Control, this is my Hint.
BTW is Normal that using only NAT will leave a lot of Holes in your
Firewall, NAT is just one piece of your NET Security ... Filtering is
another one ;)
Bye
next prev parent reply other threads:[~2005-05-10 13:11 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-10 11:13 philosophical question regarding NAT Ian Laurie
2005-05-10 11:25 ` Vasilii.Alferov
2005-05-11 9:12 ` Ian Laurie
2005-05-10 11:26 ` Problem adding connlimit rule Ruben Cardenal
2005-05-10 13:11 ` Francesco Ciocchetti [this message]
[not found] ` <20050510112649.07D4458F@mail.817west.com>
2005-05-10 13:45 ` Jason Opperisano
2005-05-10 22:11 ` philosophical question regarding NAT Taylor, Grant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4280B314.6090701@fastwebnet.it \
--to=primero@fastwebnet.it \
--cc=iml@zip.com.au \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.