At 03:53 PM 6/2/00 , you wrote:
> > Anyway, he asked how to use IP chains to block all outside traffic except
> > ports 22 and 80 and allow all internal traffic.
> > Duncan, if this is correct, I don't think you can distinguish internal and
> > external traffic on your machine.  This has to be done at the border
>
>I think it may be possible to determine internal and external traffic
>by the address.  I need to get someone to ping me while I have tcpshow
>running though, that way I can look at packets as they flow :)
>
> > Or, you could just trust all traffic from the IP space of your
> > internal LAN and hope no one who really owns that space attacks.
>
>You've just found the problem with using "real" IPs on an internal
>network.  If a host outside your masqd network has an IP that is
>inside of your network, you can never reach that host.  I'm not sure
>about the other way around with the conduits.  I _think_ that if an
>external host with the same IP as a server on the inside requests
>something from the inside host, it gets through fine, and receives an
>answer fine due to the way the PIX does the translation.

When you say "determine internal and external traffic by the address" you 
lose me.  It's entirely possible that a local host and a remote host are 
both using the same IP, right?  So for those few remote hosts that share 
your LAN's IP address space, I don't think you can determine whether they 
are local or remote.  Now if all packets automagically go to the local 
hosts, I'm not sure how worried I would be...  I would probably just allow 
all packets from the IP space occupied by my LAN and disallow others.

-Alan


-- 
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.

Reply via email to