But isn't it possible to use ipfwadm in the manual override, deny
everything from the internal net except those ip-ranges you want to let
through?
You CAN give multiple ipfwadm commands, right?
Sean
Jim Harris wrote:
> You can do something like this on a full-blown Linux (like RH 7.1) which
>
> uses IP-chains/IP-tables for firewalling. With that, you can tell the
> box to only listen to certain IP's and tell the rest to "naff-off!"
>
> STN, unfortunately, does not support these advanced firewalling features
>
> for two major reasons: (and I am guessing here - but I'm willing to bet
>
> that I'm not to darn far off the mark either!)
>
> 1. When STN was originally developed - (a few years ago) - the Linux
> kernels did not support these advanced features. In fact, they were
> outrageously experimental - and nobody in their right mind would put a
> "bleeding edge" kernel in a production system. They had more bugs than
> a Brooklyn tenament house.
>
> 2. Just as significantly - the "paradigm" behind STN was to provide a
> secure interface between a (presumably trusted) relatively small
> internal network, and the outside world - using inexpensive hardware -
> and a (at that time) dirt-cheep software solution. Also - it was
> designed to be very easy to implement. Simplicity and robustness were
> considered more important than all the fancy escoteric features.
>
> Even then - fancier solutions could be done with a set of Red Hat (or
> Debian, or Caldera, or etc.) CD's, and a spare box - but the setup and
> configuration time was, (and still is!), not trivial. Weeks could be
> spent - only to find out that the "firewall" was only half-baked. Even
> worse, these kernels themselves had HUGE security problems.
>
> Enter Share The Net. You don't have to be a Linux (or Unix) guru. All
> you have to know is what's on the inside, what's on the outside, and the
>
> basic parameters needed to connect them. STN's Windows interface asks
> for the right information, builds the config files, makes a bootable
> Linux floppy - and you're set! (actually, it usually takes a few
> iterations to get it right, but it is far-and-away easier than trying to
>
> do it "butt-naked" with Red Hat right out of the box!)
>
> It was never designed to be a "sophisticated" firewall. You can buy
> those from Cisco, et.al., for huge bux. This was supposed to be simple,
>
> reliable, and secure. And in that respect, it works admirably.
>
> Even now - I periodically invite a "hack-test" site to try to break into
>
> my system - and they beat themselves silly trying. So far, (knock
> wood!) I am still secure.
>
> There are fancier solutions out there that can do what you want, but
> you're going to pay for it, either in bux, or in the sweat off your
> brow. (I've looked at about five-or-six, and STN is _still_ my
> favorite.)
>
> Jim
>
> Dennis Pennings wrote:
> > Thanx for the reply...
> >
> > What im asking for is what you describe in the first section of the msg.
> > Win9x doesnt have security available and accepts route.exe commands. So
> > it
> > aint difficcult to tell it to use the gateway. In my situation, only 3
> > PC's
> > (of 50) on the internal network should use the gateway.
> >
> > I was thinking of a solution that linux ive seen. I Cant remember wich
> > file
> > it was, but it had options to control the ip traffic by IP and port
> > bothwayz. I think it was called hosts.
> > Is it possible to include the required .tbz and use this file?
> >
> > greetz,
> > Dennis
> >
> >
> > -----Oorspronkelijk bericht-----
> > Van: Jim Harris [mailto:[EMAIL PROTECTED]]
> > Verzonden: dinsdag 17 juli 2001 4:32
> > Aan: [EMAIL PROTECTED]
> > Onderwerp: RE: [STN] trusted IP?
> >
> >
> > Dennis,
> >
> > I am not sure what you are asking for....
> >
> > Are you saying that, if there are (for example) four or five, (or two
> > dozen), machines on the interior net - that STN should ONLY accept
> > connections from ONE of them? (and ignore the rest??)
> >
> > Assuming that this is true - I do not know "exactly" how to do this.
> > One idea might be to put the "trusted" machine on a different "network"
> > address space than the rest - however that might make intercommunication
> >
> >
> > difficult. The whole idea behind STN (as far as I can tell) is that the
> >
> >
> > ENTIRE "internal" network is trusted. In fact, if a particular machine
> > on the inside "knows" the IP address of the gateway machine, it is kinda
> >
> >
> > hard to prevent them from using it.
> >
> > If you want to tell STN that particular -INBOUND- traffic (like SMTP
> > mail for example - or HTTP requests) should be routed to ONE machine -
> > that is easy. There is a page within the "admin" web where you can set
> > up specific inbound services (like mail or web)
> >
> > Jim
> >
> > Dennis Pennings wrote:
> > > Is there a way to tell the STN to only connect to 1 IP on the internal
> > > network?
> > >
> > > Dennis
> >
> > ============================================================
> > Half.com is the Smartest Place to Buy & Sell your CDs, DVDs
> > Books, & Games! Get killer deals on over 10 million items
> > priced up to 50-90% off. Plus get $5 off your 1st purchase.
> > http://click.topica.com/caaacuMbz8Rp2bAmF3hf/half
> > ============================================================
> >
> > --
> > Visit http://www.ShareTheNet.com for info about ShareTheNet
> > Visit http://www.topica.com/lists/sharethenet for info about this list
> > To Unsubscribe send email to: [EMAIL PROTECTED]
> >
---------- COOL SAVINGS, HOT DEALS, FREE STUFF! ------------
Subscribe to TopOffers & receive great deals from Topica partners!
Business 2.0, IBM, Sephora and more!
http://click.topica.com/caaabYJbz8Rp2bAfyICf/
------------------------------------------------------------
--
Visit http://www.ShareTheNet.com for info about ShareTheNet
Visit http://www.topica.com/lists/sharethenet for info about this list
To Unsubscribe send email to: [EMAIL PROTECTED]
==^================================================================
EASY UNSUBSCRIBE click here: http://topica.com/u/?bz8Rp2.bAfyIC
Or send an email To: [EMAIL PROTECTED]
This email was sent to: [email protected]
T O P I C A -- Register now to manage your mail!
http://www.topica.com/partner/tag02/register
==^================================================================
