Re: IP fw-in deny (?)

To: debian-firewall@lists.debian.org
Cc: debian-firewall@lists.debian.org
Subject: Re: IP fw-in deny (?)
From: Mark Rafn <dagon@halcyon.com>
Date: Thu, 22 Apr 1999 16:18:28 -0700 (PDT)
Message-id: <[🔎] Pine.GUL.4.10.9904221557370.26257-100000@coho.halcyon.com>
In-reply-to: <[🔎] Pine.LNX.4.10.9904222221260.16299-100000@dagobah.jedi>

> On Thu, 22 Apr 1999, Paul Tod Rieger wrote:
> > OK, so just because I see eth0 and 192.168.4.1 (eth1) in the message
> > doesn't mean the problem is on the firewall: it's likely coming from
> > another device on the eth1 LAN.

On Thu, 22 Apr 1999, John Kramer wrote:
> eth0 is your internal lan, right?  Or is eth1 connected to your lan?

This confused me too.  If the message says it's an input rule from eth0,
it doesn't seem likely that the packet came in on eth1.  But if it's
192.168.4.1 (his eth1 address), it seems unlikely that it came from eth0.  

Clearly, this packet doesn't exist.

> In either case, it's not "garbage".  It's just normal operation for PC's
> looking for addresses.  (Specifically, win95/98/nt machines)

The only thing that catches my eye is the 192.168.4.1 - where did this
number come from?  Does the PC sending the DHCP request just make it up
and hope it's not used on your internal network?

> There's not much you can do about your neighbor except ignore him/her.  

Sure there is - you can serve her up an IP number by running your own DHCP
server.  Preferably one that won't work (192.168.4.1 isn't a bad choice)
on the outside world, so she'll call up her provider and maybe they'll
find a way to run a more secure system.  Or maybe they'll just disconnect
the troublemaker (you).  It's a risk you take when pointing out flaws in
other people's systems.

Note: I don't actually advocate doing the above.  It's an amusing idea,
but could have ugly consequences, including perhaps legal action against
you. You _can_ do it, but you probably shouldn't.  This disclaimer goes
double for the following idea.  In both cases "ignore him/her" is the
correct, if boring, advice.

If you're in a really mean mood, you can put your neighbor behind your
masqueraded firewall and log all her activity. To do this, set up an alias
eth0:1 as 192.168.127.1 (or any other convenient reserved network not used
by yourself).  Allow masquerading from this network.  Set up dhcpd to
serve out addresses from 192.168.127.[2-254] to requests coming in on eth0
(maybe eth0:1, dunno how broadcasts work with aliased adapters).  Presto,
your machine gets all traffic from any neighbor who DHCPs over your link
(if you respond before the ISP's DHCP server) and masquerades it to the
'net.  Your neighbors don't notice anything wrong, but you can snoop 'em
at will.
--
Mark Rafn    dagon@halcyon.com    <http://www.halcyon.com/dagon/>   !G
111% of crap is everything." --Larry Wall

Reply to:

Follow-Ups:
- Re: IP fw-in deny (?)
  - From: Robert de Forest <robert@mail.tapestry.net>
- Re: IP fw-in deny (?)
  - From: Paul Tod Rieger <prie@abl.com>

References:
- Re: IP fw-in deny (?)
  - From: John Kramer <jbkramer@mad.scientist.com>

Prev by Date: Re: IP fw-in deny (?)
Next by Date: Re: IP fw-in deny (?)
Previous by thread: Re: IP fw-in deny (?)
Next by thread: Re: IP fw-in deny (?)
Index(es):
- Date
- Thread