I don't think this is necessarily so. IPchains sets up the filter
independently on each interface, so you could, if you wanted allow stuff in
that you later deep six, e.g, you let it come in the front door but deny it
passage out the back, to you internal LAN. In the meantime, you tripwire,
etc, it catching and logging all those port scans and their ilk.
Tom
Alan Mead <[EMAIL PROTECTED]> on 06/02/2000 01:00:20 PM
Please respond to [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
cc:
Subject: Re: IPChains..
At 11:09 AM 6/2/00 , Gordon Messmer wrote:
>Duncan Hill wrote:
> > The PIX on the network does this for me :) I just need a way to
> > protect my system so it cannot be used as an entrance point.
> > Portsentry is up and running already :>
>
>Once you firewall your machine properly, portsentry will be next to
>useless. It will only warn you about errant connection attempts from
>inside your own network, because those are the only connections it will
>receive :) The kernel will drop connections from the outside world
>before portsentry see's them.
I don't know what a PIX is... but if I understood Duncan correctly, his
internal LAN was using the an IP address space that he doesn't own (Duncan,
is this correct? this the crux, yes?). These machines were being serviced
by an IP Masq firewall that translated from their IP addresses to one
legitimate IP address. His machine is a web server and (whatever port 22
services) and the firewall is configured to expose his machine. I'm
curious about the details of this but I assume that he has a single
interface that is connected to his LAN.
Anyway, he asked how to use IP chains to block all outside traffic except
ports 22 and 80 and allow all internal traffic.
Duncan, if this is correct, I don't think you can distinguish internal and
external traffic on your machine. This has to be done at the border
between your LAN and the outside world (I think this is what Gordon is
saying).
Or, you could just trust all traffic from the IP space of your internal LAN
and hope no one who really owns that space attacks. Actually, doubts creep
in as I write this... how would your routing return packets correctly to
internal machines? If the packets are being routed correctly to your LAN
peers then I guess you have little to worry about the legitimate users of
this IP space because they'll never see responses to the packets they send?
-Alan
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
