Re: iptables-save/restore with dynamic IP

To: debian-firewall@lists.debian.org
Subject: Re: iptables-save/restore with dynamic IP
From: "Volker Tanger" <volker.tanger@detewe.de>
Date: Thu, 21 Oct 2004 16:23:25 +0200
Message-id: <[🔎] 20041021162325.44a86ed5.volker.tanger@detewe.de>
In-reply-to: <[🔎] 20041021141549.GA32443@cirrus.madduck.net>
References: <[🔎] 41765828.9090504@gmx.net> <[🔎] 20041021105617.GB31805@cirrus.madduck.net> <[🔎] 4177A164.40203@gmx.net> <[🔎] 20041021114847.GA5001@cirrus.madduck.net> <[🔎] 4177BA65.8040409@gmx.net> <[🔎] 20041021134130.GA30163@cirrus.madduck.net> <[🔎] 20041021134904.GA2437@reddwarf.farnz.org.uk> <[🔎] 20041021141549.GA32443@cirrus.madduck.net>

Greetings!

On Thu, 21 Oct 2004 16:15:49 +0200 martin f krafft <madduck@debian.org>
wrote:
> also sprach simon@farnz.org.uk <simon@farnz.org.uk> [2004.10.21.1549
> +0200]:> The only time I've seen this done has been with PPPoE; the
> gateway> talked PPPoE with the remote end, and communicated with the
> LAN> via the same NIC. Not that secure, but got the network running.
> 
> Sounds horrible.

While it's the same physical interface, they are logically disjunct:
internet is at ppp0 while LAN is at eth0. As long as you just filter
against ppp0 it should be comparatively safe (safer than directly
connected Win* machines, that is). 

You're not safe at all against attacks (or misconfigurations) from the
inside with this technique, though...

I usually prefer physical separations of green/yellow/red networks, too,
so this setup should only be used as emergency measure...

Bye

Volker Tanger
ITK Security

Reply to:

References:
- iptables-save/restore with dynamic IP
  - From: "Martin G.H. Minkler" <dukeofnukem@gmx.net>
- Re: iptables-save/restore with dynamic IP
  - From: martin f krafft <madduck@debian.org>
- Re: iptables-save/restore with dynamic IP
  - From: "Martin G.H. Minkler" <dukeofnukem@gmx.net>
- Re: iptables-save/restore with dynamic IP
  - From: martin f krafft <madduck@debian.org>
- Re: iptables-save/restore with dynamic IP
  - From: "Martin G.H. Minkler" <dukeofnukem@gmx.net>
- Re: iptables-save/restore with dynamic IP
  - From: martin f krafft <madduck@debian.org>
- Re: iptables-save/restore with dynamic IP
  - From: simon@farnz.org.uk
- Re: iptables-save/restore with dynamic IP
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: iptables-save/restore with dynamic IP
Next by Date: Re: iptables-save/restore with dynamic IP
Previous by thread: Re: iptables-save/restore with dynamic IP
Next by thread: Re: iptables-save/restore with dynamic IP
Index(es):
- Date
- Thread