Wildcards in reverse DNS

Karl Auer kauer at biplane.com.au
Sat Jan 6 10:13:42 UTC 2007

On Sat, 2007-01-06 at 10:25 +0100, Marc Haber wrote:
> I have to agree with the conservative people here that NAT is an added
> layer of protection against configuration errors. I have once seen a
> case where an accidental "allow all" was inserted into a stateful
> packet filter, which caused a server with an official IP address that
> was supposed to be "protected" by that packet filter to be r00ted in
> no time. Had this server behind a NAT gateway with only tcp/80 DNATted
> to the site local IP address of the server, this configuration error
> wouldn't have been remotely as bad.

How does that differ from misconfiguring a NAT to pass all incoming
connections to a particular machine?

NAT is not immune to misconfiguration. The default configuration is
typically conservative - as is the typical firewall config. You get in
there changing stuff, you have to be careful.

Regards, K.

Karl Auer (kauer at biplane.com.au)                   +61-2-64957160 (h)
http://www.biplane.com.au/~kauer/                  +61-428-957160 (mob)

More information about the bind-users mailing list