Date: Wed, 16 May 2001 09:29:59 +0200 From: Axel Scheepers <axel@beheer2.iae.nl> To: freebsd-security@freebsd.org Subject: Re: risks of ip-forwarding, without ipf/ipfw Message-ID: <20010516092959.A42898@beheer2.iae.nl> In-Reply-To: <002101c0dda8$d3b3e400$3401a8c0@kcranemobile>; from kcrane@kcsaturn.homeip.net on Tue, May 15, 2001 at 08:37:53PM -0500 References: <3B01A386.53176DF8@centtech.com> <002101c0dda8$d3b3e400$3401a8c0@kcranemobile>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I would rethink that, at home i have a similar configuration which consists of 3 boxes. One is an old 486 which has an ppp uplink (will be replaced by cable soon ;-). I suggest that you use ipf on your internet gateway/router and block the services you don't intend to run. You can safely keepstate on outgoing connections so you can acces the internet without troubles. With this setup you'll need natd or something similar too. Probably a bit more complicated to install/setup but a much safer environnement afterwards. Grz, Axel On Tue, May 15, 2001 at 08:37:53PM -0500, Kyle Crane wrote: > I would think long and hard before doing that. There are numerous ways to > hop through a gateway to the nice juicey targets behind it. You end up > allowing everyone out there to fire away at anything you have running. In > practical terms it so much easier to secure a single gateway than to secure > a gateway plus N number of internal workstations. Learn and run ipf or > ipfw. You will be very happy you did. > > Kyle > > ----- Original Message ----- > From: "Eric Anderson" <anderson@centtech.com> > To: <freebsd-security@freebsd.org> > Sent: Tuesday, May 15, 2001 4:45 PM > Subject: risks of ip-forwarding, without ipf/ipfw > > > > What are the risks of having a dual-homed machine (2 NIC's), one on the > > big bad internet and one on a home lan, with ip forwarding enabled, > > without ipf or ipfw running? > > > > Is this a very bad thing? Is this easily "hopped" to access the > > internal net? > > The one way I can think of that would be fairly easy to do is to use the > > box as a gateway to the internal home net, and that would allow access > > to the internal net.. (this is in theory, since I haven't set this up > > and tested this yet).. > > > > Thoughts? > > > > > > > > Eric > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Met vriendelijke groet, VIA NET.WORKS Nederland Axel Scheepers Operations phone +31 40 239 33 93 fax +31 40 239 33 11 e-mail eindhoven.beheer@vianetworks.nl http://www.vianetworks.nl/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010516092959.A42898>