But isn't it possible to use ipfwadm in the manual override, deny 
everything from the internal net except those ip-ranges you want to let 
through?
You CAN give multiple ipfwadm commands, right?

Sean
Jim Harris wrote:
> You can do something like this on a full-blown Linux (like RH 7.1) which 
> 
> uses IP-chains/IP-tables for firewalling.  With that, you can tell the 
> box to only listen to certain IP's and tell the rest to "naff-off!"
> 
> STN, unfortunately, does not support these advanced firewalling features 
> 
> for two major reasons:  (and I am guessing here - but I'm willing to bet 
> 
> that I'm not to darn far off the mark either!)
> 
> 1.  When STN was originally developed - (a few years ago) - the Linux 
> kernels did not support these advanced features.  In fact, they were 
> outrageously experimental - and nobody in their right mind would put a 
> "bleeding edge" kernel in a production system.  They had more bugs than 
> a Brooklyn tenament house.
> 
> 2.  Just as significantly - the "paradigm" behind STN was to provide a 
> secure interface between a (presumably trusted) relatively small 
> internal network, and the outside world - using inexpensive hardware - 
> and a (at that time) dirt-cheep software solution.  Also - it was 
> designed to be very easy to implement.  Simplicity and robustness were 
> considered more important than all the fancy escoteric features.
> 
> Even then - fancier solutions could be done with a set of Red Hat (or 
> Debian, or Caldera, or etc.) CD's, and a spare box - but the setup and 
> configuration time was, (and still is!), not trivial.  Weeks could be 
> spent - only to find out that the "firewall" was only half-baked.  Even 
> worse, these kernels themselves had HUGE security problems.
> 
> Enter Share The Net.  You don't have to be a Linux (or Unix) guru.  All 
> you have to know is what's on the inside, what's on the outside, and the 
> 
> basic parameters needed to connect them.  STN's Windows interface asks 
> for the right information, builds the config files, makes a bootable 
> Linux floppy - and you're set!  (actually, it usually takes a few 
> iterations to get it right, but it is far-and-away easier than trying to 
> 
> do it "butt-naked" with Red Hat right out of the box!)
> 
> It was never designed to be a "sophisticated" firewall.  You can buy 
> those from Cisco, et.al., for huge bux.  This was supposed to be simple, 
> 
> reliable, and secure.  And in that respect, it works admirably.
> 
> Even now - I periodically invite a "hack-test" site to try to break into 
> 
> my system - and they beat themselves silly trying.  So far, (knock 
> wood!) I am still secure.
> 
> There are fancier solutions out there that can do what you want, but 
> you're going to pay for it, either in bux, or in the sweat off your 
> brow.  (I've looked at about five-or-six, and STN is _still_ my 
> favorite.)
> 
> Jim
> 
> Dennis Pennings wrote:
> > Thanx for the reply...
> > 
> > What im asking for is what you describe in the first section of the msg.
> > Win9x doesnt have security available and accepts route.exe commands. So 
> > it
> > aint difficcult to tell it to use the gateway. In my situation, only 3 
> > PC's
> > (of 50) on the internal network should use the gateway.
> > 
> > I was thinking of a solution that linux ive seen. I Cant remember wich 
> > file
> > it was, but it had options to control the ip traffic by IP and port
> > bothwayz. I think it was called hosts.
> > Is it possible to include the required .tbz and use this file?
> > 
> > greetz,
> > Dennis
> > 
> > 
> > -----Oorspronkelijk bericht-----
> > Van: Jim Harris [mailto:[EMAIL PROTECTED]]
> > Verzonden: dinsdag 17 juli 2001 4:32
> > Aan: [EMAIL PROTECTED]
> > Onderwerp: RE: [STN] trusted IP?
> > 
> > 
> > Dennis,
> > 
> > I am not sure what you are asking for....
> > 
> > Are you saying that, if there are (for example) four or five, (or two 
> > dozen), machines on the interior net - that STN should ONLY accept 
> > connections from ONE of them?  (and ignore the rest??)
> > 
> > Assuming that this is true - I do not know "exactly" how to do this.  
> > One idea might be to put the "trusted" machine on a different "network" 
> > address space than the rest - however that might make intercommunication 
> > 
> > 
> > difficult.  The whole idea behind STN (as far as I can tell) is that the 
> > 
> > 
> > ENTIRE "internal" network is trusted.  In fact, if a particular machine 
> > on the inside "knows" the IP address of the gateway machine, it is kinda 
> > 
> > 
> > hard to prevent them from using it.
> > 
> > If you want to tell STN that particular -INBOUND- traffic (like SMTP 
> > mail for example - or HTTP requests) should be routed to ONE machine - 
> > that is easy.  There is a page within the "admin" web where you can set 
> > up specific inbound services (like mail or web)
> > 
> > Jim
> > 
> > Dennis Pennings wrote:
> > > Is there a way to tell  the STN to only connect to 1 IP on the internal
> > > network?
> > > 
> > > Dennis
> > 
> > ============================================================
> > Half.com is the Smartest Place to Buy & Sell your CDs, DVDs
> > Books, & Games! Get killer deals on over 10 million items
> > priced up to 50-90% off.  Plus get $5 off your 1st purchase.
> > http://click.topica.com/caaacuMbz8Rp2bAmF3hf/half
> > ============================================================
> > 
> > --
> > Visit http://www.ShareTheNet.com for info about ShareTheNet
> > Visit http://www.topica.com/lists/sharethenet for info about this list
> > To Unsubscribe send email to: [EMAIL PROTECTED]
> > 

---------- COOL SAVINGS, HOT DEALS, FREE STUFF! ------------
Subscribe to TopOffers & receive great deals from Topica partners! 
Business 2.0, IBM, Sephora and more! 
http://click.topica.com/caaabYJbz8Rp2bAfyICf/
------------------------------------------------------------

--
Visit http://www.ShareTheNet.com for info about ShareTheNet
Visit http://www.topica.com/lists/sharethenet for info about this list
To Unsubscribe send email to: [EMAIL PROTECTED]

==^================================================================
EASY UNSUBSCRIBE click here: http://topica.com/u/?bz8Rp2.bAfyIC
Or send an email To: [EMAIL PROTECTED]
This email was sent to: [email protected]

T O P I C A -- Register now to manage your mail!
http://www.topica.com/partner/tag02/register
==^================================================================

Reply via email to