On 05/10/2015 04:47 PM, Anton Aylward wrote:
More to the point, NAT will not allow an incoming TCP _request_.
That doesn't mean its secure. There are ways of piggy-backing on established connections. The famous Mitnick vs Tsutomu Shimomura case documented as the book and movie "Takedown" was based on such a technique. We've made adjustment to the way TCP initiation & packet sequencing is done that makes such an attack very difficult, but its not impossible.
That is why many state NAT isn't a firewall. From a networking point of view, beyond stretching address space, it's generally a bad thing, in that it breaks some protocols. As for being a firewall, there's nothing it can do that a properly configured firewall can't. With a firewall, you generally start from block everything and then allow only what you want. On a proper firewall, this works in both directions, so that you can block outgoing as well as incoming. If you want to see what a real firewall can do, take a look at Cisco access lists. They can be applied to any interface in either direction, with multiple qualifiers in each statement, so you get maximum flexibility in what you allow or block. Hopefully, with IPv6, NAT will be a thing of the past. Unfortunately, some people think it's a good idea to use it with IPv6 too. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org