On 05/26/2016 08:24 AM, Per Jessen wrote:
Anton Aylward wrote:
IF AND ONLY IF the NAT port forwarding *ALSO* has all the filtering
NAT port forwarding is typically a single 'iptables' entry, nothing more. It isn't a <something> with anything extra, any more filtering, it's just a directive: "send requests on port 80 on external IP to port NN on internal IP".
Yes, that is exactly my point. Its just that whether your NAT is a low end consumer Linksys device from Best Buy or a homebrew PC running some NAT'ing firewall on top of Linux (BTDT both ways).
This is for my sons Minecraft server:
iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 25565 --j DNAT --to 192.168.11.221
one would expect of a firewall for that services (AV, email black hole, 'content inspection' and a pile of other things) then OK.
I wouldn't expect any of that in a standard ADSL or FTTH box. Not at all - we're talking about a firewall on a router, nothing else. Well, that's what I'm talking about it.
I wouldn't expect content filtering etc etc on a .... see above ... either. That's my point. And there are going to be a number of crafted attack modes to any 'open port for a server. That I can't think of any specific examples means nothing. I'm not a malicious hacker, I'm not a member of Anonymous, I'm not even a 'script kiddie'. I DO know that the 'think like a hacker in order to defend' is a flawed argument'. It assumes you're only defended against specific and specifically motivated attacks. Defence can be systematic.
But I've not seen a NAT'ing device that that does. None of the ones I have or have installed or dealt with in a casual-for-friends-and-relatives or professional or semi-professional capacity have, but I can't claim to have dealt with every last device and every last software revision in the whole wide world.
Professional equipment such as Fortigate, Sonicwall and Astaro (and many others), all come with all or some of that, but unless you're a small business, you probably don't want to bother with one of those.
Actually, IIR, IpTables has the ability to do packet inspection. IIR it has the ability to hand the packet off to a user process for inspections, but that !EXPENSIVE!. Its expensive in the professional $mega dedicated firewalls you mention and others. But lets face it; Iptables can ALSO deal with other nasty things like packet fragmentation attacks, buffer over-run attacks. The thing is that most OTS (see above) NAT devices don't allow you set that up and even the shareware firewalls like IPCop don't have an option (or the version I've installed doesn't) (maybe the alter or the IPv6 version does have a plugin that does) for some of this nasty stuff. Even if Iptables COULD deal with it. I'm sure there's a HOW-TO about all this, I'm sure I've seen one but if I bookmarked it I can't find it in my list right now. My point is that since OTS NAT devices don't do all this proactive 'firewall' things, and that applies just as much to established connections as the Mitnick-Shimomura hijacking demonstrated, something that the people who think that NAT is an adequate protection because it prevents unsolicited initiated incoming connections <strike>often</strike> usually forget, you DO need the proper firewall. Its why 'host level firewalls' are coming in. Its also why they are of limited use, since end users don't know how to configure them. its why 'smart assistants' than can configure them are coming next! Hmmm http://www.symantec.com/connect/articles/iptables-linux-firewall-packet-stri... http://www.thegeekstuff.com/2011/06/iptables-rules-examples/ Whether allowing smtp/imap outgoing to only a specific ISP from your host is useful I'm not sure, but there you are. Preventing DoS is more relevant. About a 'stateful' firewall with IpTables ... https://wiki.archlinux.org/index.php/simple_stateful_firewall https://evilshit.wordpress.com/2013/12/17/how-to-set-up-a-stateful-firewall-... Since some things, P2P, can run over http, port blocking is not adequate and content filtering or "layer 7" filtering is needed. http://l7-filter.sourceforge.net/ -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org