On Tue, 28 May 2002 15:30:04 +0200 "Marcus Przyklink" <[EMAIL PROTECTED]> wrote:
> Jamin W. Collins wrote: > > On Tue, 28 May 2002 15:02:24 +0200 > > "Marcus Przyklink" <[EMAIL PROTECTED]> wrote: > > > wotan:~ # cat masquerading > > > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > > echo 1 >/proc/sys/net/ipv4/ip_forward > > > > I trust you understand just how insecure that script is, right? > > I think for a home-LAN, say a trusted LAN, it's ok, and I've understood > that the question was for such a LAN to connect to the internet. > If I got something wrong, one way or the other, please correct me. I believe you understood both questions, and the posted script will provide the basic functionality. However, the insecurities that I'm referring to are not concerning how the script behaves with your internal (aka trusted) segment so much as the external (aka untrusted) segment. With the above script, you've left all policies at their defaults of "ACCEPT". Thus, the NAT'ing box is fully exposed to the internet. Unless you've taken other steps to limit/eliminated unused services, this box is most likely open in one way or another. Don't get me wrong, I'm aware that a box without a firewall at all can be just as secure (possibly even more so) than one with one. However, if you are already using the firewall tool to provide NAT'ing for your network, you might want to consider using it's other features to add another layer of protection to your network. -- Jamin W. Collins -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
