From owner-freebsd-security Tue May 15 18:34:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from saturn.cranehome.net (mkc-65-26-118-19.kc.rr.com [65.26.118.19]) by hub.freebsd.org (Postfix) with ESMTP id 013C937B423 for ; Tue, 15 May 2001 18:34:15 -0700 (PDT) (envelope-from kcrane@kcsaturn.homeip.net) Received: from kcranemobile (saturn.cranehome.net [192.168.0.1]) by saturn.cranehome.net (Postfix) with SMTP id ECBDA24D02 for ; Tue, 15 May 2001 20:34:12 -0500 (CDT) Message-ID: <002101c0dda8$d3b3e400$3401a8c0@kcranemobile> From: "Kyle Crane" To: References: <3B01A386.53176DF8@centtech.com> Subject: Re: risks of ip-forwarding, without ipf/ipfw Date: Tue, 15 May 2001 20:37:53 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I would think long and hard before doing that. There are numerous ways to hop through a gateway to the nice juicey targets behind it. You end up allowing everyone out there to fire away at anything you have running. In practical terms it so much easier to secure a single gateway than to secure a gateway plus N number of internal workstations. Learn and run ipf or ipfw. You will be very happy you did. Kyle ----- Original Message ----- From: "Eric Anderson" To: Sent: Tuesday, May 15, 2001 4:45 PM Subject: risks of ip-forwarding, without ipf/ipfw > What are the risks of having a dual-homed machine (2 NIC's), one on the > big bad internet and one on a home lan, with ip forwarding enabled, > without ipf or ipfw running? > > Is this a very bad thing? Is this easily "hopped" to access the > internal net? > The one way I can think of that would be fairly easy to do is to use the > box as a gateway to the internal home net, and that would allow access > to the internal net.. (this is in theory, since I haven't set this up > and tested this yet).. > > Thoughts? > > > > Eric > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message