[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] Re: Iptables



On Sat, 2002-05-04 at 21:49, Dawson, Alan wrote:
> More simply put does his use of private ip range and masquerading not
> protect him ..?

To an extent. In that there is only one IP address to attack, yes,
you've reduced the risk. 

Most previous ip(fwadmin|chains|tables) exploits have been kernel bugs
or common configuration errors relating to 'RELATED' connections - for
example, having an active ftp connection in use means that the firewall
needs to allow connections from external machines to local machines. If
you can fool the firewall into thinking that the incoming connection is
related to an existing one, then you've got your way around the
firewall.

Using 192.168.* doesn't mean that it's unroutable, per se. Hackers don't
obey rules - so, if they are able to get close enough to your network so
that they can see your 'private' traffic, then suddenly your unroutable
packets might start being routed. The difference between technical
possibility and technical policy is important. 

Using a masquerading firewall, allowing outgoing packets and incoming
packets not starting connections (the 'three line firewall') offers you
as much protection as you need. Most complicated firewall systems are
necessary when you start wanting to do more complicated things: host a
CVS server, receive incoming SMTP mail, etc. Running a dedicated
firewall isn't usually necessary if you're not running Windows on your
LAN; if you are running Windows it's practically mandatory.

Cheers,

Alex.


___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.