On Fri, Jun 09, 2000 at 13:33 +0200, Thomas Michael Wanka wrote:
I have a PC connected to the internet and my server doing NAT to allow access from my lan to the internet. My lan, like Juliens, uses private addresses 192.168.xxx.xxx. As sayd above, AFAIK it is not possible for someone to access my lan as the private addresses are not routed in the internet.
This ^^^^^^^^^^^^^^ is better put as "should not get routed ..." -- it's not a requirement but common practise. Don't count on "RFC1918 won't show up from outside" and "won't find a way" (I'm not speaking of where the packets will end up when many LANs leak ambigiously addressed packets).
So someone needed to compromise my router, log in (with e.g. telnet) and than has access to my lan.
How about someone addressing a packet to your RFC-address and source routing it via your official IP (see the IP options on this)? This will deliver the packet to your router and this machine knows how to get to your workstation or LAN server. And to repeat it: Don't count on source routed packets being dropped just because *you* have always done so. As well as you make mistakes yourself other admins will fail, too, sometimes. And there's always something your neighbour might not even know about and thus doesn't even have a chance of being concerned. :) This is all heading into the same direction: Every aspect turns out to be a configuration problem. Don't imply anything, express all constraints yourself. Set up a packet filter and explicitly state yourself: - "I don't expect to see RFC1918 IPs on the outside so I drop those packets" - "I know that _my_ address is *mine* so nobody else may use it, too" - "loopback addresses never show up on NICs" - "I know that packets from the inside can have internal source addresses only" - "nobody will ever initiate a connection _into_ my net, I always act as the consumer and don't service anyone out there" - etc pp It may sound a little stupid, but security is about being paranoid. :) The good thing about these explicit rules is that you can be sure of some things not to happen. Even if you get this stuff delivered, it won't make it over your router. And whatever you produce inside, it won't get out unless you allow it to. Just express your expectations and make a mechanism enforce this regime ... virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.