Hi It is certainly true that your workstation is not accessible from the outside easily. However, everytime you open a connection with HTTP, FTP or whatever your gateway opens a port which will open a route to your inner workstation. I'm not an expert in this, but I guess with a little luck, a nasty tool and a unsecure workstation one *could* get on the workstation without cracking the gateway in the first place. Althouth this seems really paranoid you can read in every security paper to better use proxies on your gateway than network address translation. Then you have to crack the gateway befor possibly getting in the inner network. If someone cracked your gateway he has only the tools available on the machine. You can prohib users from using / in commands (so they can't download a tool and use it since they just can't lauch it with ./mytool.sh). There is a kernel patch which can make your system really secure with read only logfiles and alike (the can only be written by the kernel itself), however for maintanance you have to reboot in a less secure kernel since even root can't do anything with this patch. I think for most cases it is enough secure to have no compiler installed, no user accounts, every damn port closed which is not necessary used, bann every clear text protocol (telnet, ftp) and rsync your logfiles from an inner machine every once in a while (and read them ;-) Maybe a real expert can confirm or deny the first paragraph? enjoy the weekend -florian On Fri, 9 Jun 2000 Thomas Michael Wanka yelled into the voidness of cybercpace:
On 9 Jun 2000, at 11:28, Julien Calvet wrote:
yes you can ... You must use IP-route2 package to make NAT.
Hi,
to me it sounded like Julien wanted to know if *sombody* (not allowed to) can connect to the private lan through his router. And that AFAIK is not possible without getting access to the router.
This leads me to a question I wanted to post for quiet a while:
I have a PC connected to the internet and my server doing NAT to allow access from my lan to the internet. My lan, like Juliens, uses private addresses 192.168.xxx.xxx. As sayd above, AFAIK it is not possible for someone to access my lan as the private addresses are not routed in the internet. So someone needed to compromise my router, log in (with e.g. telnet) and than has access to my lan. If that happened, all he has to access my lan with, are the programms installed on the router. Is that right?
thanks
mike
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com