From owner-freebsd-questions  Tue Dec 10 20: 2: 4 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 093D537B401
	for <freebsd-questions@freebsd.org>; Tue, 10 Dec 2002 20:02:03 -0800 (PST)
Received: from delivery.infowest.com (delivery.infowest.com [204.17.177.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A57FE43EA9
	for <freebsd-questions@freebsd.org>; Tue, 10 Dec 2002 20:02:02 -0800 (PST)
	(envelope-from wbs@infowest.com)
Received: from Presarionb (unknown [209.63.78.111])
	by delivery.infowest.com (Postfix) with SMTP id 8A0CEE3A0DA
	for <freebsd-questions@freebsd.org>; Tue, 10 Dec 2002 21:01:56 -0700 (MST)
From: Lorin Lund <wbs@infowest.com>
To: FreeBSD Questions <freebsd-questions@freebsd.org>
Date: Tue, 10 Dec 2002 20:56:25 -0700
X-Priority: 3 (Normal)
Message-Id: <UOYW4X2ZYVYVAYWSOVSQKXR9585JHGA.3df6b769@Presarionb>
Subject: single nic firewall - what are my vulnerabilities.
MIME-Version: 1.0
Content-Type: text/plain; charset="windows-1252"
X-Mailer: Opera 6.05 build 1140
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I just got DSL.  My FreeBSD box that used to be my dial-up gateway
is now my DSL gateway.  I don't have any spare NICs right now so
I have my home network defined as subnet 169.254.0.xxx.  The DSL 
'modem' defines itself as 192.168.0.1.  So the NIC in my FreeBSD 
gateway is defined as 192.168.0.4 and aliased to 169.254.0.1.

natd is running with -a 192.168.0.1 .
In rc.conf 
firewall_type="OPEN"
So right now I don't have any firewall protection.  ipfw is just
there to host natd.  Assuming that I can create the right set of
ipfw rules (and I suppose that could be complicated by the aliasing)
are there any other vulnerabilities?  Is there any way that anything
dangerous can go directly from the DSL 'modem' to one of the other
PC's that is on the internal subnet?  I would think that being on 
separate logical subnets would keep any TCP/IP traffic or UDP/IP
traffic from getting around the firewall but are there any other
packet types or protocols that could slip through and cause trouble?



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message