On Fri, Aug 6, 2010 at 8:50 PM, Nathan Eisenberg <[email protected]> wrote: >> You're missing the entire point. If you have one switch, VLAN 2 is >> your LAN, and VLAN 3 is your unfiltered Internet, and you put both 2 >> and 3 untagged on the same port... there ya go. From there the amount >> of damage possible and ease of it happening depends on what kind of >> Internet connection you have. > > You lose me right where you say "... there ya go". How do you propose to get > your malicious traffic to my vulnerable host? Yes, it's now on the same > layer 2 domain - but I'm not sure how that can be exploited by an external > attacker. >
That's my last point - depends on your Internet connection. If it's DHCP or DHCP is available, you could be pulling a public IP from upstream and leaving a LAN host wide open outside the firewall. If you're on a connection type where WAN is a large broadcast domain like cable, a few thousand hosts will then start seeing your internal ARP and could ARP poison your LAN. There are other possibilities depending on your connection type. It's not worth the risk. With many commercial-grade connections there are less options there, and with some it would be virtually impossible to do anything where there's a router between your ISP and your firewall, but it's still not worth the risk. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
