Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Firewall behind an existing one?

Status
Not open for further replies.
Cloudane

Cloudane

Technical User
Aug 29, 2001
4
GB
I'm running a Linux box behind a firewalled NAT. It's always stressed as important that a *nix box connected to the Internet in any way should be firewalled. My question is - do you need to run a firewall if it's already behind a NAT router? Bearing in mind that the only port forwarding to the Linux box I'll have set up is SSH (I'm going away for a week and want to be able to access it still). It should be safe I'd have thought, since packets can't find their own way through a NAT at the best of times... but thought I'd better check.

TIA
 
Sort by date Sort by votes
Cloudane,
My understanding is that NAT is 80% of external security, where having a good firewall/IDS/etc is 99% and having your Win98 box on a public IP address with shares enabled is 0%. I haven't heard of any way to get anything through NAT (not that I'm any star hacker or anything), but if the NAT is not on a firewall I'd try to compromise the NAT box and then the network is open.
HTH,
-Steve
 
Upvote 0 Downvote
If you've installed any/all patches that are available to protect your SSH daemon, I wouldn't worry about leaving your system as-is. That also assumes that the box hasn't had an opportunity to be trojaned already, in which case it will invite all hostile connections through established traffic, unless your router is set to forbid ANY and all non-SSH traffic, regardless of established status.
 
Upvote 0 Downvote
Thanks for the feedback. The ssh box is using Slackware 8.0 with all the security updates, so I'm fairly happy that any known holes are plugged. Not too chuffed about the actual NAT router - which is a Wintel box running WinXP's ICS and Firewall. The reasoning behind it would take some explaining, but suffice to say it's an unavoidable 'family issue'... I think it'll be okay though, since all the Windows Updates are installed (including grc.com's UnPlugnPray) so if MS can go for a week without discovering another major security hole then it'll be fine *g*



Still, I may throw up iptables anyway as a second layer. Won't do any harm.
 
Upvote 0 Downvote
The WINXP Firewall is a major hole in itself. It stops outside sources from gaining access unless allowed as you would expect, but my understanding is it does not block traffic going out. You'll not be able to spot, or stop, any traffic from trojans like NIMDA. I suggest you use a more serious product like Sygate or ZoneAlarm. Both are free to the private, or cost very little for the corporate, user.
 
Upvote 0 Downvote
If you install Zone Alarm Pro buy the Professional version and be sure to assign a password. Without a password a Worm or Trojan can include a simple batch file to defeat the program.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
809
Sameer258
Sameer258
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
598
nnaarrnn
nnaarrnn
Sparrow4
  • Locked
  • Question
AnyConnect + Azure + SAML
Replies
0
Views
555
Sparrow4
Sparrow4
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
242
hairlessupportmonkey
hairlessupportmonkey
Russtoleum
  • Locked
  • Question
SW GVC won't route traffic through sonicwall to offsite tunnel unless it leases an ip on the same su
Replies
1
Views
198
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top