Re: Hiding NATs with PF

From: Greg Hennessy (me_at_privacy.org)
Date: 09/28/05 

Date: Wed, 28 Sep 2005 21:15:50 +0100

On 28 Sep 2005 11:02:55 -0700, "Max Bolingbroke"
<batterseapower@hotmail.com> wrote:

>> > How do they 'enforce' this policy exactly ? I've worked in environments
>> > with ridiculous policies because some clueless idiot copied something out
>> > of a textbook.
>>
>> Not to mention the time it would take humans to go out and try and
>> detect this.
>>
>> To the OP: Are there policies on using vmware or similar
>> multiple-os-per-machine constructs?
>
>None. The only restriction is against routers.

I can see some reasoning for that with potential issues to do with dynamic
routing and as Simon says, 'leakage'.

>The claim is that a NAT router causes upstream routing headaches.
>Is this true?

If it's injecting bogus dynamic routing information into whatever IGP they
are using, yes potentially.

But for a SoHo appliance methinks not.

>> I know of such networks where there is a strict ``no nat'' policy
>> because they don't want to deal with abuse hidden by that and the
>> resulting expected gefingerpointing. I can't blame them for their
>> motives.
>
>Interesting, they don't cite that as a reason. What abuse could be
>hidden by a NAT that could not be hidden by a single host with firewall
>enabled?

Nothing routing related, but as Simon also says, if your LAN is compromised
with a hijacked system......

greg 

-- 
"Access to a waiting list is not access to health care"