NAT w/o firewall?

Chris Brenton cbrenton at chrisbrenton.org
Tue Dec 7 16:40:02 EST 2004


On Tue, 2004-12-07 at 11:44, Michael ODonnell wrote:
>
> let's say I have a simple home network with a
> combination of machines behind a Linux box that's
> doing NAT/firewall duty.  If I rigged that NAT box
> such that it'd allow establishment of no inbound
> connections of any kind but forwarded all outbound
> connections from any machine behind it (doing NAT for
> all) couldn't I just basically turn off all other
> firewall functions in that NAT box? 

I'm not really sure you can do this. It sounds like you are talking
about disabling CONNTRACK which *I think* also kills NAT capability. 

If you are talking on a static filter level, you still have to worry
about things like SYN/FIN which passes !=SYN but still permits
connection establishment to most UNIX systems as well as Linux.

Either way why would you want to? If you have a security tool, leverage
it.

> What kind of
> attack could succeed in this situation, other than
> hijacking a NAT'd connection

About 2-3 years ago I did a study of about 8 different "home firewall
appliances" that were basically boxes that did one to many NAT and not
much else. Out of the 8, I found 5 of them that allowed you to reach the
internal network from outside via loose source routing. So basically
these NAT devices were an annoyance rather than a real firewall. 

Now, with Linux you can disable source route support by simply setting
accept_source_route=0. This stops the Linux box from being a bounce IP,
but I'm not convinced from the testing I've done that it blocks all
source routed packets. For example if you permit inbound access from an
external IP, the testing I've done shows that Linux will pass the packet
if the source route option is set but the permitted external IP is used
as the bounce point. This is based on 2.4. Have not had time/bandwidth
to test 2.6. 

HTH,
Chris





More information about the gnhlug-discuss mailing list