[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: activating ipchains & ip masqurading ...

Jamin W. Collins wrote:
> On Tue, 28 May 2002 15:30:04 +0200
> "Marcus Przyklink" <downhill@uchusphere.de> wrote:
> 
> > Jamin W. Collins wrote:
> > > On Tue, 28 May 2002 15:02:24 +0200
> > > "Marcus Przyklink" <downhill@uchusphere.de> wrote:
> > > > wotan:~ # cat masquerading 
> > > > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> > > > echo 1 >/proc/sys/net/ipv4/ip_forward
> > > 
> > > I trust you understand just how insecure that script is, right?
> > 
> > I think for a home-LAN, say a trusted LAN, it's ok, and I've understood
> > that the question was for such a LAN to connect to the internet.
> > If I got something wrong, one way or the other, please correct me.
> 
> I believe you understood both questions, and the posted script will
> provide the basic functionality.  However, the insecurities that I'm
> referring to are not concerning how the script behaves with your internal
> (aka trusted) segment so much as the external (aka untrusted) segment.
>  
> With the above script, you've left all policies at their defaults of
> "ACCEPT".  Thus, the NAT'ing box is fully exposed to the internet.  Unless
> you've taken other steps to limit/eliminated unused services, this box is
> most likely open in one way or another. Don't get me wrong, I'm aware
> that a box without a firewall at all can be just as secure (possibly even
> more so) than one with one.  However, if you are already using the
> firewall tool to provide NAT'ing for your network, you might want to
> consider using it's other features to add another layer of protection to
> your network.

Ah, now I understand what you mean.
Well, the box connected to the internet has online SMTP and SSH Ports
open, so I think it's pretty secure. The MTA is qmail without relaying
or so activated. Sure, it would be more secure to accept only ssh-connections
from the LAN to the box, but sometimes I want friends be able to
connect to the box via ssh over the internet. Because of this reasons
I don't have a firewall running. Allowing only some IPs to connect to
ssh won't work, my friends have no static IP.

-- 
There are only two ways to live your life. One is as though nothing
is a miracle. The other is as though everything ist.
  [Albert Einstein]


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: