From owner-freebsd-security Tue May 15 17:48: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id 58BFC37B42C for ; Tue, 15 May 2001 17:47:57 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by prox.centtech.com (8.9.3+Sun/8.9.3) id QAA28125 for ; Tue, 15 May 2001 16:45:50 -0500 (CDT) Received: from proton.centtech.com(10.177.173.77) by prox via smap (V2.1+anti-relay+anti-spam) id xma028120; Tue, 15 May 01 16:45:42 -0500 Message-ID: <3B01A386.53176DF8@centtech.com> Date: Tue, 15 May 2001 16:45:42 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: risks of ip-forwarding, without ipf/ipfw Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What are the risks of having a dual-homed machine (2 NIC's), one on the big bad internet and one on a home lan, with ip forwarding enabled, without ipf or ipfw running? Is this a very bad thing? Is this easily "hopped" to access the internal net? The one way I can think of that would be fairly easy to do is to use the box as a gateway to the internal home net, and that would allow access to the internal net.. (this is in theory, since I haven't set this up and tested this yet).. Thoughts? Eric To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message