From owner-freebsd-questions@FreeBSD.ORG Sun Apr 11 00:24:41 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D619616A4CE for ; Sun, 11 Apr 2004 00:24:41 -0700 (PDT) Received: from gen129.n001.c02.escapebox.net (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 51DFF43D2D for ; Sun, 11 Apr 2004 00:24:41 -0700 (PDT) (envelope-from gemini@geminix.org) Message-ID: <4078F2B5.3080300@geminix.org> Date: Sun, 11 Apr 2004 09:24:37 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040119 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <407643B7.3080308@users.sourceforge.net> In-Reply-To: <407643B7.3080308@users.sourceforge.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with asmtp (TLSv1:AES256-SHA:256) (Exim 3.36 #1) id 1BCZKZ-0008L2-00; Sun, 11 Apr 2004 09:24:39 +0200 Subject: Re: FreeBSD router: Can my internet provider detect my home network? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Apr 2004 07:24:41 -0000 Rob wrote: > > I plan to have a FreeBSD (4.9 stable) system serving as a router > between my provider and a set of my home computers connected > via a home network. > > My provider does not really like this, but I don't care so much, > as long as s/he cannot detect (too easily) my home network. > [...] > > Is it correct, that the combination of firewall and natd divert > all requests and thus hide the home network for my provider? > Are requests from all other networked home PC's done on behalf of > the router, so that my provider will only see requests from my router? If they want to, they can detect that there's more than one computer using that link. They just need to look at the TCP sequence numbers. This way they can associate TCP packets with their individual originating hosts. If they see more than one group of sequentially increasing TCP sequence numbers they know that you're cheating. Whether they really care about it as long as you're not causing excessive network traffic or other trouble is a different matter. The only way to really hide your computers is to block direct Internet connections and instead use proxy software on a gateway server for each and every service. IMHO, quite an effort for probably just a couple of bucks saved. Larger companies do this, but for security reasons and also to control what their employees do on the Internet. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net