Firewalling revisited...

Henning Rohde hr at
Thu Oct 18 00:01:14 PDT 2001

Hi Björn,

OK, trying to sleep a night I've intensively been thinking about
your concept:

It's highly inconventional, but, as long as there's only one single
client, it's quite OK: some of my critics are now wrong, i had not
understood your concept good enough when I wrote them.

In your current setup you DNAT any incoming request to your internal
client. Doing it this way, you do not use the highly apprechiated feature
the conventional concept of a masquerading router has:

The conventional concept means, that the masqerading router does only SNAT
outgoing requests, incoming requests are handelt by itself.
If some cracker attacked his IP, he would only be able to crack the
router with no important data on it, but he would not get imeedately full
access to your documents. To access your documents he would need to crack
your internal machine as well.

In your current concept a cracker who ssh'ed to your IP would get the
login-prompt of your internal box. Cracking ssh seems quite unlikely,
but to login is not so difficult if you happen to have accounts with
weak passwords.
When the cracker has entered shell-access, he might try some exploits,
e.g.,  in SUID-programs to get root-access and is now able to read your

The other disadvantage, you concept has in my eyes, is that it allows
only one client: What are you going to do if you'd like to put a second
machine into your internal network, e.g., a notebook.
Any connection initiated from the notebook would correctly be routed into
the internet, but the answers would be redirected to,
wouldn't they?

Have I now understood your concept completely, or do I miss again some

Have a nice day,


"Ein Patriot ist einer, der sein Vaterland liebt. Ein Nationalist ist einer,
der die Vaterländer der anderen verachtet" (Johannes Rau)

Unsubscribe: send email to listar at
and put 'unsubscribe blfs-support' in the subject header of the message

More information about the blfs-support mailing list