Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 16 May 2001 08:56:15 -0700 (PDT)
From:      Jano Lukac <jedovaty@yahoo.com>
To:        freebsd-security@freebsd.org
Subject:   Re: risks of ip-forwarding, without ipf/ipfw
Message-ID:  <20010516155615.40395.qmail@web14503.mail.yahoo.com>
In-Reply-To: <20010516092959.A42898@beheer2.iae.nl>

next in thread | previous in thread | raw e-mail | index | archive | help

If your IP changes (e.g. in a PPP or PPPoE link), do you have to rerun
ipf/ipfw/natd everytime?  Or is freebsd smart about this (unlike the unnamed
arctic semi-counterpart which uses ipchains/iptables)?

--- Axel Scheepers <axel@beheer2.iae.nl> wrote:
> Hi,
> I would rethink that, at home i have a similar configuration which consists
> of 3 boxes. One is an old 486 which has an ppp uplink (will be replaced by 
> cable soon ;-).
> I suggest that you use ipf on your internet gateway/router and block the 
> services you don't intend to run. You can safely keepstate on outgoing
> connections so you can acces the internet without troubles.
> With this setup you'll need natd or something similar too.
> Probably a bit more complicated to install/setup but a much safer
> environnement afterwards.
> Grz,
> Axel
> 
> On Tue, May 15, 2001 at 08:37:53PM -0500, Kyle Crane wrote:
> > I would think long and hard before doing that.  There are numerous ways to
> > hop through a gateway to the nice juicey targets behind it.  You end up
> > allowing everyone out there to fire away at anything you have running.  In
> > practical terms it so much easier to secure a single gateway than to secure
> > a gateway plus N number of internal workstations.  Learn and run ipf or
> > ipfw.  You will be very happy you did.
> > 
> > Kyle
> > 
> > ----- Original Message -----
> > From: "Eric Anderson" <anderson@centtech.com>
> > To: <freebsd-security@freebsd.org>
> > Sent: Tuesday, May 15, 2001 4:45 PM
> > Subject: risks of ip-forwarding, without ipf/ipfw
> > 
> > 
> > > What are the risks of having a dual-homed machine (2 NIC's), one on the
> > > big bad internet and one on a home lan, with ip forwarding enabled,
> > > without ipf or ipfw running?
> > >
> > > Is this a very bad thing?  Is this easily "hopped" to access the
> > > internal net?
> > > The one way I can think of that would be fairly easy to do is to use the
> > > box as a gateway to the internal home net, and that would allow access
> > > to the internal net.. (this is in theory, since I haven't set this up
> > > and tested this yet)..
> > >
> > > Thoughts?
> > >
> > >
> > >
> > > Eric
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-security" in the body of the message
> > >
> > 
> > 
> > 
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> > 
> 
> -- 
> Met vriendelijke groet,
> VIA NET.WORKS Nederland
> 
> Axel Scheepers
> Operations
> phone 	+31 40 239 33 93
> fax 	+31 40 239 33 11
> e-mail 	eindhoven.beheer@vianetworks.nl
> http://www.vianetworks.nl/
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message


__________________________________________________
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010516155615.40395.qmail>