Date: Thu, 17 May 2001 10:37:10 +1000 From: Dave Seddon <das@mbox.com.au> To: freebsd-security@FreeBSD.ORG Subject: RE: risks of ip-forwarding, without ipf/ipfw Message-ID: <3e9a343ed668.3ed6683e9a34@mbox.com.au>
next in thread | raw e-mail | index | archive | help
I run a FreeBSD router/firewall for my home network, sharing cable. If I wasn't actually packet filtering, how would somebody attack my internal machines (assuming the gateway box was secure and people couldn't telnet, etc, into it)? Doesn't natd provide a lot of protection anyway? Natd dynamically keeps track of outgoing connections, then maps these back on the way back in. So if somebody tries to start a connection inbound, it will hit the router, natd will look through it's table, say to itself "no match" and drop the packet (s). I assume that natd actually tracks the close of a tcp connection and removes entries? or is this done by some sort of timeout? Is the way to attack: Sit on the Cable Ethernet network, address frames to target site's ethernet address, address packets to the (guessed) internal addresses of the target site, and set the return packet address to your box? (assuming no firewall) Just wondering... Dave Seddon -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Eric Anderson Sent: Thursday, 17 May 2001 6:35 To: Crist Clark Cc: freebsd-security@FreeBSD.ORG Subject: Re: risks of ip-forwarding, without ipf/ipfw No, I'm not actually doing this, I was more curious than anything. I use ipfilter myself. Thanks for the good thoughts everyone. Crist Clark wrote: > > Eric Anderson wrote: > > > > What are the risks of having a dual-homed machine (2 NIC's), one on the > > big bad internet and one on a home lan, with ip forwarding enabled, > > without ipf or ipfw running? > > A.k.a. a router. > > All it means is that every machine on the home LAN must be hardened > and treated as if it were directly connected to the Internet 'cause, > well, it is. > -- > Crist J. Clark Network Security Engineer > crist.clark@globalstar.com Globalstar, L.P. > (408) 933-4387 FAX: (408) 933-4926 > > The information contained in this e-mail message is confidential, > intended only for the use of the individual or entity named above. If > the reader of this e-mail is not the intended recipient, or the employee > or agent responsible to deliver it to the intended recipient, you are > hereby notified that any review, dissemination, distribution or copying > of this communication is strictly prohibited. If you have received this > e-mail in error, please contact postmaster@globalstar.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------ ------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 The idea is to die young as late as possible. ------------------------------------------------------------------------ ------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ---------------------------------------- Want to hear your email over the phone? faxes+voicemail+email = http://mbox.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3e9a343ed668.3ed6683e9a34>