----- Original Message ----- From: "Ray Olszewski" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, November 02, 2002 12:12 PM Subject: Re: [leaf-user] Bering RC-4 unexplainable holes in shorewall - long
> > One piece of what you wrote is especially perplexing, though, namely -- > > >most disturbing is my > >ability to ping internal clients on both internal networks from the EXTERNAL > >network - even masq'd clients. I know the norfc1918 option on zone net will > >stop this but shouldn't the overall policy of net2all prevent this? > > This one needs a bit more explanation. Since the external connection is a > PPPoE connection, just where are you doing this ping'ing *from*? From out > on the Internet, pings to your private addresses should not get even close > to your LANs; the ISP's routers should stop them before they ever encounter > your rulesets. If you traceroute to these addresses, do they really prove > to be on your LANs (or are you just able to ping *some* hosts with > 192.168.17.d addresses)? > I'm running a pppoe server to connect the Bering box to ( Dachstien with no filtering, RP pppoe-server on eth1) as the final production machine will be shipped to an inaccessible location. As I use cable here, I felt it was necessary to run this box as it will close as possible to field conditions - a pppoe connection to the net. I am pinging from the external side of the Dachstien/pppoe box through the pppoe link on the internal side to the Bering box. I admit this doesn't set up a completely realistic network. The routing would be difficult but not impossible in a real world situation. This is why I tried this particular test. PPPoE would make this nearly impossible but not all my production boxes are connected via pppoe. On my own cable network I have been able to setup a machine on an unused address on my segment to portscan and probe my own firewalls at two sites on the same segment. If I can do it, someone else can. A simple ping scan of the cable segment reveals available ip's to use. Since traffic within the segment does not traverse the isp's router, I can set up routes to private ip space over the public network. In order to keep my superiors happy, I must approach security from a belt and suspenders point of view, hence the strange and far fetched testing. The shorewall norfc1918 option on my external interface will easily prevent this but I wanted to test other levels of the firewalling. I have since corrected problems I caused in my shorewall configuration that pretty much eliminate this scenario altogether - in particular, the proper use of the filterping interface option and disabling FORWARDPING in Shorewall. Thanks anyway for the response. ------------------------------------------------------- This SF.net email is sponsored by: ApacheCon, November 18-21 in Las Vegas (supported by COMDEX), the only Apache event to be fully supported by the ASF. http://www.apachecon.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
