[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: selecting old machines for firewall/router use



On 22 February 2011 00:45, Stan Hoeppner <stan@hardwarefreak.com> wrote:
shawn wilson put forth on 2/21/2011 6:05 PM:
> On Mon, Feb 21, 2011 at 6:45 PM, Stan Hoeppner <stan@hardwarefreak.com>wrote:
>
>> Pascal Hambourg put forth on 2/21/2011 3:51 PM:
>>> Stan Hoeppner a écrit :
>>>>
>>>> You only need one
>>>> NIC in your firewall box when using a switch.  You simply plug
>>>> everything into the switch including the DSL modem and the Netgear.
>>>> Bind both the public and private IP addresses to the same NIC in the
>>>> firewall using a virtual NIC: i.e. eth0 and eth0:1.
>>>
>>> This is a wrong idea because the firewall can be by-passed, leaving a
>>> hole in the LAN security.
>>
>> Would you mind explaining why you believe this?

> well, if you fill up a switch's arp cache, it starts acting like a hub. at
> that point data goes everywhere.

Anything to a MAC in the cache will go to the right place, anything not in the cache is broadcast.

If the cache is full, since nothing new can be added to the cache a MAC's location can't be added and any data sent to that MAC will continue to be broadcasted on all ports.

Since cache entries also expire, if an entry isn't refreshed in time it'll get removed from the cache. If the cache fills back up before that MAC's location gets readded then data sent to that MAC will also start to be broadcasted.

It'd need a large number of ARP packets (an attack) to manage to fill the cache up though... whether that data can get onto the network in the first place is another matter.


Would you mind pointing the list to the document that verifies your claim?

> supposedly, there is also a way to 'pivot' past a nat device - i haven't
> looked into this, so i can't speak to this much...

Again, would you mind pointing us to a document that verifies this?

I ask because neither are true, and I'd like to see the source of your
misinformation.

--
Stan


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] 4D630722.1030508@hardwarefreak.com" target="_blank">http://lists.debian.org/[🔎] 4D630722.1030508@hardwarefreak.com


Reply to: