Re: I want to have my cake and eat it too

To: debian-firewall@lists.debian.org
Subject: Re: I want to have my cake and eat it too
From: Ian Johnstone <ianj@westnet.com.au>
Date: Tue, 01 Apr 2003 15:05:34 +0800
Message-id: <[🔎] 5.1.0.14.2.20030401150333.00a88218@mail.westnet.com.au>
In-reply-to: <1049150345.19805.13.camel@debian.org>
References: <5.1.0.14.2.20030331174528.00accb48@mail.westnet.com.au> <5.1.0.14.2.20030331174528.00accb48@mail.westnet.com.au>

Jonathan

Thanks for the feedback

At 06:39 AM 1/04/2003, Jonathan Oxer wrote:

Is there a particular reason you are against adding another card? Seems
to me that would make the problem relatively simple.

I agree problem is that I can't get another Ethernet connection to themachine. At least not without a LOT of expense

Even though you didn't ask for it, another thought in passing: provided
you get this going by whatever means, and depending on how many internal
machines you have, you could do MAC address matching in iptables to make
sure only your nominated machines can get to your proper internal
addresses. In other words, treat your internal network as hostile, not
just your external network. I'm of the opinion it's good practice to do
that anyway, with the growing incidence of staff doing crazy things like
installing unprotected WiFi access points on internal networks. Don't
just SNAT all internal machines out to the net, block everything in both
directions at your firewall and only allow data in *or* *out* that you
specify.


I hadn't thought of that, I'll give it some thought and see if its feasible

Ian

Reply to:

Prev by Date: UNSUBSCRIBE
Next by Date: unsubscribe
Previous by thread: unsubscribe
Next by thread: Re: I want to have my cake and eat it too
Index(es):
- Date
- Thread