Re: [PLUG] DSL

Michael Leone on Tue, 27 Mar 2001 17:08:53 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] DSL

From: "Michael Leone" <turgon@mike-leone.com>

To: <plug@lists.phillylinux.org>

Subject: Re: [PLUG] DSL

Date: Tue, 27 Mar 2001 09:59:37 -0500

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

> I would think that you can mangle your packets to use a spoofed MAC address > through iptables 1.2.1. Just don't ask me how as I have no frigg'n clue. You don't even need to go that far, unless you are connecting INTO your hosts from the outside *and* using some software (like some VPN software) that doesn't like masq'ed addresses. I use DCA, sort of in the way that Jason describes - I gave them the MAC address of the firewall, and all internal hosts just go out thru the firewall. You don't even need to do the static 1-1 NATing, unless you're trying to come in from the outside. And even then, it might not be necessary - my firewall port-forwards http, ftp and ssh to the proper internal hosts. So I just use the one external IP, and let the firewall route incoming requests, based on protocol. For many things, this is sufficient (such as web server, FTP server, SSH server, mail server, etc).. I use LRP (Linux Router Project), a distro of Linux that fits on a diskette, on an old P-100, 32M RAM, no HD, 2 NIC machine, as a firewall, on a DSL line (line provided by Verizon [blech], ISP services by DCA). > This is easily circumvented by using a firewall and doing static address > translation (i.e. 1-1 NAT mappings from an RFC1918 address on your LAN > to the globally routable addresses that the ISP gives you). In that case, > the MAC address for ALL of your IPs would be the same, the external i/f > of the firewall. Depending on how your provider works, you many have > to proxy arp/setup static arps on the external i/f of the firewall to ensure > the traffic will be sent to you (unless they simply forward all traffic > on a layer-2 basis). > > In addition to it being easy to circumvent the problems, with the firewall > properly configured, it's also more secure. ______________________________________________________________________ Philadelphia Linux Users Group - http://www.phillylinux.org Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce General Discussion - http://lists.phillylinux.org/mail/listinfo/plug

References:

RE: [PLUG] DSL
From: "Charles Stack" <charles@codycomp.com>

Prev by Date: Re: [PLUG] Wireless service

Next by Date: RE: [PLUG] DSL

Previous by thread: RE: [PLUG] Wireless service

Next by thread: [PLUG] troubleshooting sluggish pine startup

Index(es):

Date

Thread