[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: activating ipchains & ip masqurading ...

Jamin W. Collins wrote:
> On Tue, 28 May 2002 15:30:04 +0200
> "Marcus Przyklink" <downhill@uchusphere.de> wrote:
> > Jamin W. Collins wrote:
> > > On Tue, 28 May 2002 15:02:24 +0200
> > > "Marcus Przyklink" <downhill@uchusphere.de> wrote:
> > > > wotan:~ # cat masquerading 
> > > > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> > > > echo 1 >/proc/sys/net/ipv4/ip_forward
> > > 
> > > I trust you understand just how insecure that script is, right?
> > 
> > I think for a home-LAN, say a trusted LAN, it's ok, and I've understood
> > that the question was for such a LAN to connect to the internet.
> > If I got something wrong, one way or the other, please correct me.
> I believe you understood both questions, and the posted script will
> provide the basic functionality.  However, the insecurities that I'm
> referring to are not concerning how the script behaves with your internal
> (aka trusted) segment so much as the external (aka untrusted) segment.
> With the above script, you've left all policies at their defaults of
> "ACCEPT".  Thus, the NAT'ing box is fully exposed to the internet.  Unless
> you've taken other steps to limit/eliminated unused services, this box is
> most likely open in one way or another. Don't get me wrong, I'm aware
> that a box without a firewall at all can be just as secure (possibly even
> more so) than one with one.  However, if you are already using the
> firewall tool to provide NAT'ing for your network, you might want to
> consider using it's other features to add another layer of protection to
> your network.

Ah, now I understand what you mean.
Well, the box connected to the internet has online SMTP and SSH Ports
open, so I think it's pretty secure. The MTA is qmail without relaying
or so activated. Sure, it would be more secure to accept only ssh-connections
from the LAN to the box, but sometimes I want friends be able to
connect to the box via ssh over the internet. Because of this reasons
I don't have a firewall running. Allowing only some IPs to connect to
ssh won't work, my friends have no static IP.

There are only two ways to live your life. One is as though nothing
is a miracle. The other is as though everything ist.
  [Albert Einstein]

To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: