---- Original Message -----
From: "Doug Barton" <dougb@dougbarton.us>
On 11/13/2011 13:27, Phil Regnauld wrote:
That's not exactly correct. NAT doesn't imply firewalling/filtering. To illustrate this to customers, I've mounted attacks/scans on hosts behind NAT devices, from the interconnect network immediately outside: if you can point a route with the ext ip of the NAT device as the next hop, it usually just forwards the packets...
Have you written this up anywhere? It would be absolutely awesome to be able to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual demonstration of why it isn't.
Accepting strict source routing from a public interface is certainly in the top 10 Worst Common Practices, is it not? (IE: I would be surprised if *any* current router actually let you do that.) Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274