On Sun, 13 Feb 2011 14:09:12 +0000, Tixy wrote: > On Sun, 2011-02-13 at 15:02 +0200, Andrei Popescu wrote:
>> Correct me if I'm wrong, but this means you have two IPs on the same >> interface, one is public and one is RFC 1918 and all your internal >> computers are connected directly to the big bad internet (via the >> switch and the modem). I also think so. > It's not like that, my server's Ethernet interface only has one, > private, IP address. > > The server uses PPPoE to talk to the modem, which translates this into > PPPoA to get to my IPSs equipment. So once my server has 'dialled' my > ISP the ppp interface on my server ends up with my public address, which > iptable rules can NAT, filter and forward to the private IP range. > > Unless I've fundamentally misunderstood networking, I can't see how > connecting the modem to a separate NIC on the server adds any security. > > (I don't discount me getting something horribly wrong, this setup is > only a few weeks old and my first foray into firewalls and routing.) I see you Vigor acting like an old dial-up modem (with no routing capabilities at all) or like a DSL USB modem *but* having an ethernet port and provided it is connected physically to the same data link layer than the other devices, your whole network is accesible from Internet and you should protect all your computers by setting "individual" firewalls. To properly isolate your lan from the outside, a second network adapter is needed (one card for handling external traffic connected to the modem and the other card attached to the lan network). The server can then act as a true firewall and protects the lan machines. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.02.13.14.46...@gmail.com
