[UFO Chicago] NAT and port filtering
Robert B. Moses
robert.moses@helioslogic.com
Tue, 28 Jan 2003 11:39:21 -0600
Jesse Becker wrote:
> --- "Robert B. Moses" <robert.moses@helioslogic.com> wrote:
>
>>I need 3 boxes connected to a Netgear router doing NAT
>>and filtering.
>>None of these boxes run any servers/services...they are
>>simply client
>>machies that want to browse the WWW and POP off their
>>email. Easy.
>
>
> This is straight-forward masquerading. Nothing fancy here.
:) That is why I started 2nd guessing myself....like in the movies when
the hero says, "That was easy...a little too easy!"
>
> Both halves are half right. ;-) You don't need to allow
> incoming connections, but you do need to allow return
> traffic for connections that you have established.
Heh heh...maybe my corpus callosum may having some issues...
>
>>Would blocking/dropping inbound connections 0-1024 be
>>sufficient?
>
>
> Well, the default policy should be a default DROP, except
> where you make holes for valid traffic.
Right, so when all other rules don't "match" for specified action, DROP.
Which brings me to another question, does DROP send the packed to
/dev/null or does is repsond with a connection refused type of thing.
Thank for refreshing the principle of this issue. I think I'll have to
experiment a litte. If anyone is interested the culprit in question is
Netgear's RT314 Internet Gateway Router w/4 port switch.
From what I can tell it has some nice features: filtering of TCP/UDP as
well as generic filters based on byte patterns of the packet (hmm that
sounds closer to SPI...)
well back to work for me...
--
Robert B. Moses
1300 W. Eddy St., Unit 2
Chicago, IL 60657
773.991.0179
robert.moses@helioslogic.com