Re: splitting a subnet in an odd way
You forget one thing: there are 10 other machines (addresses 3 to 13) that need not to be firewalled, and must be accessible from ANY pother ost either internally and externally, without passing the FW. The second group really is not a problem, since are just virtual addresses for a machine in the first group, that self-firewall ! However user in the third, internal group should access these machines direclty. About proxy-arping 230 machines: what commands would you suggest for dcoing that , the way i used for a small group did havoc on some network monitoring tools ! Il 26 Sep 2003 alle 9:25 Fraser Campbell immise in rete On Wednesday 24 September 2003 10:47, Leonardo Boselli wrote: I have a /24 subnet. .1 is the gateway and almost all IP from 2 to 254 are occupied. I would like to split the host in three groups: 12 that can have full access, 12 thought one firewall and the other 205 throught a second firewall. I cannot chanmge the number of some machines, so the only option is that the first 12 and the two firewalls are .2 to .14 the second group is .18 to .29 and the third vould keep is present numbers between .36 and .254. Why not have a single firewall? If you want to have two firewalls make an HA cluster out of them. If you are interested in physically separating the subnets then I would just put extra interfaces on the firewall (basically multiple DMZs). - assume subnet is 1.1.1.0/24 - all machines behind firewall get 1.1.1.0/24 subnet - firewall gets 1.1.1.2/24 assigned to it's external interface (side facing router) - firewall does proxy arp for all IPs in the subnet on it's external interface - if you like, firewall does proxy arp for 1.1.1.1 on it's internal interface and then machines shouldn't even have to change their gateway - firewall rules are written as you require. Even though the subnet 1.1.1.0/28 doesn't really exist you can write your firewall rules in that way -- Leonardo Boselli Nucleo Informatico e Telematico del Dipartimento Ingegneria Civile Universita` di Firenze , V. S. Marta 3 - I-50139 Firenze tel +39 0554796431 cell +39 3488605348 fax +39 055495333 http://www.dicea.unifi.it/~leo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: splitting a subnet in an odd way
Leonardo, I may not exactly understand what you are trying to do but if the only thing you are trying to accomplish is firewalling the machines differently, couldn't you just: 1) assign them different gateways. The open machines would use the real gateway. The other two groups would use the trusted side of the two firewalls as gateways. The firewalls would use your real gateway to forward the packets to/from the world. The two firewalls could be one Linux box with a couple interfaces and appropriate firewall rules. 2) just write the firewall rules to do what you want. Why not just write your firewall rules to do what you want? Pass IPs x to y without filtering, etc., etc. This seems most straight forward. Pete -- http://www.elbnet.com ELB Internet Service, Inc. Web Design, Computer Consulting, Internet Hosting On Wednesday 24 September 2003 10:47, Leonardo Boselli wrote: I have a /24 subnet. .1 is the gateway and almost all IP from 2 to 254 are occupied. I would like to split the host in three groups: 12 that can have full access, 12 thought one firewall and the other 205 throught a second firewall. I cannot chanmge the number of some machines, so the only option is that the first 12 and the two firewalls are .2 to .14 the second group is .18 to .29 and the third vould keep is present numbers between .36 and .254. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: proftpd exploit
On Friday 26 September 2003 09:33, mimo wrote: I have just discovered this exploit report but couldn't find anything about other distros than Slackware http://proftpd.linux.co.uk/index.html Does any body know if the debian version is affected too? You should always take a look at bug reports if you're worried about a security issue. Here's the bug report on this for Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212416 According to the bug report, woody is not vulnerable. ISS says that versions 1.2.7 through 1.2.9rc2 (and possibly versions prior to 1.2.7) are vulnerable. I suspect that someone somewhere has since tested ealier versions (woody runs a patched 1.2.4) and decided that those versions are not vulnerable. It would be nice if the bug report noted on what evidence stable is not affected. All I could think of for the moment was disabling donwloading via FTP globally. Any ideas? Yes it sounds like denying either uploads or downloads would have saved you. -- Fraser Campbell [EMAIL PROTECTED] http://www.wehave.net/ Halton Hills, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
