At 12:17 PM 11/8/00 +0000, Michael Boyd wrote: ... >The kind of structure I have in mind is:- > >[Win. 98 Box]--eth--[Debian Box]--modem--[Internet Service Provider] > >I intend to add other machines on my network later and have the Debian >Box doing ipmasq, ipchains and diald. > >My first two questions are:- > >Would it be *much* safer to insert a second Debian Box with 2 ethernet >cards, one machine to do the firewalling and one to make the connection >to the internet? Presumably if I did that the machine making the >internet connection would be potentially vulnerable?
NO, and it would be a good bit harder, since you'd need either 2 levels of NAT (MASQ) or a more complex routing table on one or both routers. The host making the Internet connection is always "potentially vulnerable". Good firewall/router design minimizes (ideally, elmiminates, but let's be realistic) the vulnerability. >Is there anything wrong with using IP addresses such as 10.0.0.1 and a >subnet mask of 255.255.255.0 for my machines? The gateway will have a >dynamic IP addr. from my ISP as well. If by "such as" you mean to refer to the private address ranges (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16), then there is nothing at all wrong with using them. They are intended for use in exactly these kinds of situation. -- ------------------------------------"Never tell me the odds!"--- Ray Olszewski -- Han Solo Palo Alto, CA [EMAIL PROTECTED] ----------------------------------------------------------------
