Wildcards in reverse DNS
Marc Haber
mh+bind-users at zugschlus.de
Sat Jan 6 11:06:17 UTC 2007
On Sat, Jan 06, 2007 at 09:13:42PM +1100, Karl Auer wrote:
> On Sat, 2007-01-06 at 10:25 +0100, Marc Haber wrote:
> > I have to agree with the conservative people here that NAT is an added
> > layer of protection against configuration errors. I have once seen a
> > case where an accidental "allow all" was inserted into a stateful
> > packet filter, which caused a server with an official IP address that
> > was supposed to be "protected" by that packet filter to be r00ted in
> > no time. Had this server behind a NAT gateway with only tcp/80 DNATted
> > to the site local IP address of the server, this configuration error
> > wouldn't have been remotely as bad.
>
> How does that differ from misconfiguring a NAT to pass all incoming
> connections to a particular machine?
Not much, but at least in the setup affected, configuring NAT is
a different step, so the same result would have needed the same
mistake at a different place.
But I agree that NAT is not a security measure.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
More information about the bind-users
mailing list