Date: Wed, 16 May 2001 08:56:15 -0700 (PDT) From: Jano Lukac <jedovaty@yahoo.com> To: freebsd-security@freebsd.org Subject: Re: risks of ip-forwarding, without ipf/ipfw Message-ID: <20010516155615.40395.qmail@web14503.mail.yahoo.com> In-Reply-To: <20010516092959.A42898@beheer2.iae.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
If your IP changes (e.g. in a PPP or PPPoE link), do you have to rerun ipf/ipfw/natd everytime? Or is freebsd smart about this (unlike the unnamed arctic semi-counterpart which uses ipchains/iptables)? --- Axel Scheepers <axel@beheer2.iae.nl> wrote: > Hi, > I would rethink that, at home i have a similar configuration which consists > of 3 boxes. One is an old 486 which has an ppp uplink (will be replaced by > cable soon ;-). > I suggest that you use ipf on your internet gateway/router and block the > services you don't intend to run. You can safely keepstate on outgoing > connections so you can acces the internet without troubles. > With this setup you'll need natd or something similar too. > Probably a bit more complicated to install/setup but a much safer > environnement afterwards. > Grz, > Axel > > On Tue, May 15, 2001 at 08:37:53PM -0500, Kyle Crane wrote: > > I would think long and hard before doing that. There are numerous ways to > > hop through a gateway to the nice juicey targets behind it. You end up > > allowing everyone out there to fire away at anything you have running. In > > practical terms it so much easier to secure a single gateway than to secure > > a gateway plus N number of internal workstations. Learn and run ipf or > > ipfw. You will be very happy you did. > > > > Kyle > > > > ----- Original Message ----- > > From: "Eric Anderson" <anderson@centtech.com> > > To: <freebsd-security@freebsd.org> > > Sent: Tuesday, May 15, 2001 4:45 PM > > Subject: risks of ip-forwarding, without ipf/ipfw > > > > > > > What are the risks of having a dual-homed machine (2 NIC's), one on the > > > big bad internet and one on a home lan, with ip forwarding enabled, > > > without ipf or ipfw running? > > > > > > Is this a very bad thing? Is this easily "hopped" to access the > > > internal net? > > > The one way I can think of that would be fairly easy to do is to use the > > > box as a gateway to the internal home net, and that would allow access > > > to the internal net.. (this is in theory, since I haven't set this up > > > and tested this yet).. > > > > > > Thoughts? > > > > > > > > > > > > Eric > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > Met vriendelijke groet, > VIA NET.WORKS Nederland > > Axel Scheepers > Operations > phone +31 40 239 33 93 > fax +31 40 239 33 11 > e-mail eindhoven.beheer@vianetworks.nl > http://www.vianetworks.nl/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message __________________________________________________ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010516155615.40395.qmail>