AW: [suse-security] same ip for two interfaces
hi folks,
can somebody see a (security) problem in assigning the external and the dmz interface the same IP-Address ? all the ipchains rules are using the interface switch (-i).
Why on earth would you do that? That is so f**ked up. Use an "internal" IP on the internal interface, like 10.0.0.1, as long as the machines in the dmz/etc know how to get to it (which they will) everything is fine.
the INTERNAL interface has a private ip address (192.168.x.x). i am talking about the EXTERNAL and the DMZ interface !! i want to do that, because they've got only 8 public ip-addresse (so 6 actually)
thanx,
jb
-Kurt
jb
the INTERNAL interface has a private ip address (192.168.x.x). i am talking about the EXTERNAL and the DMZ interface !!
i want to do that, because they've got only 8 public ip-addresse (so 6 actually)
So use 10.0.0.1 on the DMZ interface. as long as no-one on the INTERNET needs to talk directly to that interface it'll work fine. I.e. a traceroute would show 1.2.3.4 (your isp's router) 5.6.7.8 (external ip on your firewall) * * * (can't talk to him....) 5.6.7.9 (IP of your server on the DMZ). See? -Kurt
On Thu, Nov 02, 2000 at 10:36 +0100, Bauer, Juergen wrote:
i want to do that, because they've got only 8 public ip-addresse (so 6 actually)
Why is the word "T-IC" immediately bubbling up? :> Well, it doesn't have a "Linux" in its name, but you might want to visit http://www.obfuscation.org/ipf/ and read the ipfilter howto. Even if you won't employ ipf it will be very helpful in understanding packet filters and how to create your rulesets. BTW when reading this document you will notice where ipchains is lacking and why you will want to use iptables(sp?) at the very least (i.e. kernel 2.4 plus what it takes to run it). And if you decide to use, say, OpenBSD -- it has ipf in its base. This way you could set up a bridge with it, don't need any IP numbers for the machine and still have the packets filtered. Just imagine that you get a "wire" which looks and behaves like a normal copper line, but turns out to be quite selective about which traffic to let through. :) And while you're at this (improving your software environment), leave bind and sendmail and Co aside and use djbdns, qmail or postfix, et al. You definitely *will* get attacked at least once a day. It's always better to be safe than sorry ... PS: This is *not* Linux bashing. It's just pointing out where other systems fit better for a particular purpose. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
participants (3)
-
Bauer, Juergen -
Gerhard Sittig -
Kurt Seifried