Jamin W. Collins wrote: > On Tue, 28 May 2002 15:30:04 +0200 > "Marcus Przyklink" <[EMAIL PROTECTED]> wrote: > > > Jamin W. Collins wrote: > > > On Tue, 28 May 2002 15:02:24 +0200 > > > "Marcus Przyklink" <[EMAIL PROTECTED]> wrote: > > > > wotan:~ # cat masquerading > > > > iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE > > > > echo 1 >/proc/sys/net/ipv4/ip_forward > > > > > > I trust you understand just how insecure that script is, right? > > > > I think for a home-LAN, say a trusted LAN, it's ok, and I've understood > > that the question was for such a LAN to connect to the internet. > > If I got something wrong, one way or the other, please correct me. > > I believe you understood both questions, and the posted script will > provide the basic functionality. However, the insecurities that I'm > referring to are not concerning how the script behaves with your internal > (aka trusted) segment so much as the external (aka untrusted) segment. > > With the above script, you've left all policies at their defaults of > "ACCEPT". Thus, the NAT'ing box is fully exposed to the internet. Unless > you've taken other steps to limit/eliminated unused services, this box is > most likely open in one way or another. Don't get me wrong, I'm aware > that a box without a firewall at all can be just as secure (possibly even > more so) than one with one. However, if you are already using the > firewall tool to provide NAT'ing for your network, you might want to > consider using it's other features to add another layer of protection to > your network.
Ah, now I understand what you mean. Well, the box connected to the internet has online SMTP and SSH Ports open, so I think it's pretty secure. The MTA is qmail without relaying or so activated. Sure, it would be more secure to accept only ssh-connections from the LAN to the box, but sometimes I want friends be able to connect to the box via ssh over the internet. Because of this reasons I don't have a firewall running. Allowing only some IPs to connect to ssh won't work, my friends have no static IP. -- There are only two ways to live your life. One is as though nothing is a miracle. The other is as though everything ist. [Albert Einstein] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
