[Courses] [Security] Firewall theory -- UDP and nameservers
Kai MacTane
kmactane at GothPunk.com
Mon Mar 25 14:23:31 EST 2002
At 3/22/02 05:32 AM , Jenn Vesperman wrote:
>The diehard IPv4 addict's 'solution' to running out of real addresses.
>Once we force them all to move to IPv6, NAT will vanish.
I can't see why; NAT is also useful for security. Take my house network: I
have DSL with four static IPs. The Slackware Linux machine "surehand" gets
three of those, with the Mandrake machine "kitchengod" having the other.
kitchengod runs ipchains, and has a second NIC, which the four Windows 9x
boxen in the house plug into. They get their IP addresses from DHCP, in a
192.168 range.
The practical upshot? I never put a Microsoft OS onto the Internet. In
fact, no outside attacker can even find out their IP addresses, and if they
could, they still couldn't route packets to them.
Sure, NAT started as an address-space conservation scheme. But it's also
become intimately associated with IPmasq for security purposes. When IPv6
comes in, I'll still be using masquerading to protect the OSes that can't
handle the rigors of exposure to the raw Internet.
--Kai MacTane
----------------------------------------------------------------------
"Soft and only you, lost and only you,
Strange as angels."
--The Cure,
"Just Like Heaven"
More information about the Courses
mailing list