Re: To NAT or not to NAT

I must be laboring under misinformation:

I NAT'd a bunch (~100) of my Windows workstations behind private IP addresses, with a pf NAT box translating to a single public address, then put a bridging FW in front of that. As far as I can tell, there's *no* way to reach the Windows machines, for which I'm grateful, as MS has issued a mess of security patches. (I still patch using UpdateExpert, but who cares in OpenBSD-land?)

At least, SuperScan, nmap, X-Scan and the like come up with nothing, even when run inside the DMZ. Outsiders come up with maybe 5 or 6 reachable addresses, most of which are dumb terminals sitting in public areas. (I left them in the public VLAN so that someone bringing in a laptop and hijacking their network port still has to traverse firewalls).

So how would an outsider access my Windows boxes?

Thanks for the information,

--Adam

-----Original Message-----
From: Lars Hansson [mailto:lars@unet.net.ph] Sent: Monday, January 06, 2003 6:02 PM
To: misc@openbsd.org
Subject: Re: To NAT or not to NAT

On Tue, 2003-01-07 at 08:30, Craig Hammond wrote:
>
> From a security point of view, is this a correct assumption?

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related openbsd.org Links advocacy announce bugs ipv6 misc ports ports-changes security-announce smp source-changes tech Request more information about Pantek

IMHO, yes. NAT breaks a lot of things and if you really dont need it, don't use it. Simply obscuring what ip addresses you use doesn't buy you much.

-- 
Lars Hansson