Doug Barton (dougb) writes:
On 11/13/2011 13:27, Phil Regnauld wrote:
That's not exactly correct. NAT doesn't imply firewalling/filtering. To illustrate this to customers, I've mounted attacks/scans on hosts behind NAT devices, from the interconnect network immediately outside: if you can point a route with the ext ip of the NAT device as the next hop, it usually just forwards the packets...
Have you written this up anywhere? It would be absolutely awesome to be able to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual demonstration of why it isn't.
Nope, but I could do a quick tut on how to do this against a natd/pf/ iptables or IOS with IP overload. Arguably in *most* cases your CPE or whatever is NATing is behind some upstream device doing ingress filtering, so you still need to be compromising a device fairly close to the target network. P.