From: Greg Hudson <ghudson(_at_)MIT(_dot_)EDU>
But anybody clear understand that if your internal hosts do not have
a public address then all attacks may be only static - wait until
internal host open TCP to somewhere.
This is a naive understanding. Source-routing would let me get
packets through to an internal address unless your NAT also acts as a
firewall.
Why isn't it also naive to assume that vulnerable applications on hosts
inside will honor IP source routes on the return path?
See for example, current BSD source for telnetd and rlogind.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com