[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall

Correct me if I'm wrong, but I believe there are some problems with your
proposed solution:

> * Tandex (tand3x@yahoo.com) [010820 18:39]:
> > Do I need 2 net-card on linux-gateway that use ipmasq?
>
> Now on to my reply: the other reply to your question gave a wrong
> answer. You do not need 2 NICs to route between 2 networks; there's
> something called "one-armed routing" which makes use of IP aliasing,
> which is giving a single NIC multiple addresses.
> --
> Vineet                                   http://www.anti-dmca.org

There are a few cases where this is dangerous:

* I am assuming your firewall exists to protect your network, by providing
packet filtering (potentially inbound AND outbound).

1) If an attacker learns an internal address, and your internal network is
unrouted (on a single segment of ethernet), they would be able to get
packets (unfiltered) into your network, unless your upstream
router/DSL/Cable modem etc is going ingress filtering.

2) If one external (say a web server) is "owned" on your internal network,
you have no DMZ to protect the rest of your network. The one compromised
machine has conciderable power in this case, and would be less dangerous
if trapped inside a DMZ. (potentially using egress filtering, to prevent
attackers from getting much use out of a compromised machine.)

That said, I use a hub out of my dorm (and ip aliasing, which is neat
stuff) and don't really have any problems. I also don't have a serious
firewall setup, if I did, I'd probably use a dual (or probally 3-NIC)
setup.

I haven't been following this thread, so ignore this if it isn't relevent.
I just thought it was important to mention the risks involved in such a
setup -- it's not really a "firewall" at all against a determined
attacker.

-- Adam Lydick
Reply to: