[Gllug] DNS security problem and broadband modems

[Tethys]

--------

Alain Williams writes:

>My broadband modem has a NATting firewall on it (I also run a
>firewall on my home server [**]), this seems to be 'undoing' the
>port randomisation

Correct. Tom Cross of XForce pointed out precisely that
issue a couple of weeks ago. It's a common problem. No
matter how good the random port generation used by your
nameserver may be, it's no good if your NAT device is
rewriting it to something distinctly non-random on the
way out. Solution: get a better NAT provider.

>Question: either:
>
>1) how to get round this problem ? I have played with the D-link
>config and don't think that I can do it there.
>
>2) what new BB modem should I get ? I prob ought to get one anyway
>to be able to upgrade the speed that I am getting.

Option 3) Do it yourself (in other words, get a better NAT
provider). My ADSL router acts purely as a router -- simply
passing packets from network A to network B and vice versa.
It does no NAT/PAT and no packet filtering. Traffic goes
straight through into my firewall (a separate box) which is
entirely under my control. From there I fan out to the rest
of the network. It's a setup I'd recommend to anyone. No
messing about with cryptic and underpowered vendor configs.
It's all just plain old network config on a Unix box.

Tet
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug