At 03:53 PM 6/2/00 , you wrote:
> > Anyway, he asked how to use IP chains to block all outside traffic except
> > ports 22 and 80 and allow all internal traffic.
> > Duncan, if this is correct, I don't think you can distinguish internal and
> > external traffic on your machine. This has to be done at the border
>
>I think it may be possible to determine internal and external traffic
>by the address. I need to get someone to ping me while I have tcpshow
>running though, that way I can look at packets as they flow :)
>
> > Or, you could just trust all traffic from the IP space of your
> > internal LAN and hope no one who really owns that space attacks.
>
>You've just found the problem with using "real" IPs on an internal
>network. If a host outside your masqd network has an IP that is
>inside of your network, you can never reach that host. I'm not sure
>about the other way around with the conduits. I _think_ that if an
>external host with the same IP as a server on the inside requests
>something from the inside host, it gets through fine, and receives an
>answer fine due to the way the PIX does the translation.
When you say "determine internal and external traffic by the address" you
lose me. It's entirely possible that a local host and a remote host are
both using the same IP, right? So for those few remote hosts that share
your LAN's IP address space, I don't think you can determine whether they
are local or remote. Now if all packets automagically go to the local
hosts, I'm not sure how worried I would be... I would probably just allow
all packets from the IP space occupied by my LAN and disallow others.
-Alan
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.