You can do something like this on a full-blown Linux (like RH 7.1) which
uses IP-chains/IP-tables for firewalling. With that, you can tell the
box to only listen to certain IP's and tell the rest to "naff-off!"
STN, unfortunately, does not support these advanced firewalling features
for two major reasons: (and I am guessing here - but I'm willing to bet
that I'm not to darn far off the mark either!)
1. When STN was originally developed - (a few years ago) - the Linux
kernels did not support these advanced features. In fact, they were
outrageously experimental - and nobody in their right mind would put a
"bleeding edge" kernel in a production system. They had more bugs than
a Brooklyn tenament house.
2. Just as significantly - the "paradigm" behind STN was to provide a
secure interface between a (presumably trusted) relatively small
internal network, and the outside world - using inexpensive hardware -
and a (at that time) dirt-cheep software solution. Also - it was
designed to be very easy to implement. Simplicity and robustness were
considered more important than all the fancy escoteric features.
Even then - fancier solutions could be done with a set of Red Hat (or
Debian, or Caldera, or etc.) CD's, and a spare box - but the setup and
configuration time was, (and still is!), not trivial. Weeks could be
spent - only to find out that the "firewall" was only half-baked. Even
worse, these kernels themselves had HUGE security problems.
Enter Share The Net. You don't have to be a Linux (or Unix) guru. All
you have to know is what's on the inside, what's on the outside, and the
basic parameters needed to connect them. STN's Windows interface asks
for the right information, builds the config files, makes a bootable
Linux floppy - and you're set! (actually, it usually takes a few
iterations to get it right, but it is far-and-away easier than trying to
do it "butt-naked" with Red Hat right out of the box!)
It was never designed to be a "sophisticated" firewall. You can buy
those from Cisco, et.al., for huge bux. This was supposed to be simple,
reliable, and secure. And in that respect, it works admirably.
Even now - I periodically invite a "hack-test" site to try to break into
my system - and they beat themselves silly trying. So far, (knock
wood!) I am still secure.
There are fancier solutions out there that can do what you want, but
you're going to pay for it, either in bux, or in the sweat off your
brow. (I've looked at about five-or-six, and STN is _still_ my
favorite.)
Jim
Dennis Pennings wrote:
> Thanx for the reply...
>
> What im asking for is what you describe in the first section of the msg.
> Win9x doesnt have security available and accepts route.exe commands. So
> it
> aint difficcult to tell it to use the gateway. In my situation, only 3
> PC's
> (of 50) on the internal network should use the gateway.
>
> I was thinking of a solution that linux ive seen. I Cant remember wich
> file
> it was, but it had options to control the ip traffic by IP and port
> bothwayz. I think it was called hosts.
> Is it possible to include the required .tbz and use this file?
>
> greetz,
> Dennis
>
>
> -----Oorspronkelijk bericht-----
> Van: Jim Harris [mailto:[EMAIL PROTECTED]]
> Verzonden: dinsdag 17 juli 2001 4:32
> Aan: [EMAIL PROTECTED]
> Onderwerp: RE: [STN] trusted IP?
>
>
> Dennis,
>
> I am not sure what you are asking for....
>
> Are you saying that, if there are (for example) four or five, (or two
> dozen), machines on the interior net - that STN should ONLY accept
> connections from ONE of them? (and ignore the rest??)
>
> Assuming that this is true - I do not know "exactly" how to do this.
> One idea might be to put the "trusted" machine on a different "network"
> address space than the rest - however that might make intercommunication
>
> difficult. The whole idea behind STN (as far as I can tell) is that the
>
> ENTIRE "internal" network is trusted. In fact, if a particular machine
> on the inside "knows" the IP address of the gateway machine, it is kinda
>
> hard to prevent them from using it.
>
> If you want to tell STN that particular -INBOUND- traffic (like SMTP
> mail for example - or HTTP requests) should be routed to ONE machine -
> that is easy. There is a page within the "admin" web where you can set
> up specific inbound services (like mail or web)
>
> Jim
>
> Dennis Pennings wrote:
> > Is there a way to tell the STN to only connect to 1 IP on the internal
> > network?
> >
> > Dennis
>
> ============================================================
> Half.com is the Smartest Place to Buy & Sell your CDs, DVDs
> Books, & Games! Get killer deals on over 10 million items
> priced up to 50-90% off. Plus get $5 off your 1st purchase.
> http://click.topica.com/caaacuMbz8Rp2bAmF3hf/half
> ============================================================
>
> --
> Visit http://www.ShareTheNet.com for info about ShareTheNet
> Visit http://www.topica.com/lists/sharethenet for info about this list
> To Unsubscribe send email to: [EMAIL PROTECTED]
>
============================================================
Half.com is the Smartest Place to Buy & Sell your CDs, DVDs
Books, & Games! Get killer deals on over 10 million items
priced up to 50-90% off. Plus get $5 off your 1st purchase.
http://click.topica.com/caaacuMbz8Rp2bAfyICf/half
============================================================
--
Visit http://www.ShareTheNet.com for info about ShareTheNet
Visit http://www.topica.com/lists/sharethenet for info about this list
To Unsubscribe send email to: [EMAIL PROTECTED]
==^================================================================
EASY UNSUBSCRIBE click here: http://topica.com/u/?bz8Rp2.bAfyIC
Or send an email To: [EMAIL PROTECTED]
This email was sent to: [email protected]
T O P I C A -- Register now to manage your mail!
http://www.topica.com/partner/tag02/register
==^================================================================
