Re: [PLUG] dsl questions

LeRoy Cressy on Thu, 30 Jan 2003 06:30:37 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] dsl questions

From: LeRoy Cressy <leroy@lrcressy.com>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] dsl questions

Date: Thu, 30 Jan 2003 06:18:44 -0500

Delivery-date: Thu, 30 Jan 2003 06:30:37 -0500

Envelope-to: jeff@localhost

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

It is true that all of my internal stuff is on a private network but I set up specific rules for each port that I want to translate. A blanket Masquerade rule rule increases risk.

iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 \ - --dport 20 -j SNAT --to $RealIP

Eugene Smiley wrote:
I believe that what LeRoy is doing is performing masquerading, where all the IP's behind the Linux box (including the DMZ) all have private IPs i.e. 192.168.1.0.

Considering that you have a Linksys router (which performs NAT firewalling) already, why aren't you using it at your entry point? Just because you get 5 IP's doesn't mean that you have to use them. Just place it before your switch.

Like LeRoy, I'd be very nervous about not having anything between the public and my boxes.

Most FAQs/HOWTOs you read will warn against running any services on a firewall box if you end up using a linux box as a masquerading or NAT firewall. Given that some people opt to use an old PC, i.e. that Pentium 100 buried in the parts closet.

Eugene

-----Original Message----- From: plug-admin@lists.phillylinux.org [mailto:plug-admin@lists.phillylinux.org]On Behalf Of epike@isinet.com Sent: Wednesday, January 29, 2003 5:40 PM To: plug@lists.phillylinux.org Subject: Re: [PLUG] dsl questions

hi

thanks for the input.

the 3 hosts are actually: 2 linux boxes and a linksys firewall (with the 802.11 antenna). that leaves me with 2 linux boxes to protect. more work but not too bad.

i'll try to implement a DMZ with the 2 linux boxes as a starting point....by the way does your firewall also serve something? I try to minimize the number of machines and I dont have a lot of IP numbers either.

In my case i'll try to setup the firewall server as a regular web server also, so one its NIC would show up as an address inside the DMZ is that possible?

jondz

_________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

- -- Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\ http://lrcressy.com ( o.o ) Phone: 215-535-4037 > ^ <

gpg fingerprint: 62DE 6CAB CEE1 B1B3 359A 81D8 3FEF E6DA 8501 AFEA

Jesus saith unto him, I am the way, the truth, and the life: no man cometh unto the Father, but by me. (John 14:6) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQE+OQohP+/m2oUBr+oRAikdAJ4ogfj4MndQJLj6rWiyERw78X4ungCfeaR0 M1ZPzBmZix3FqaFUGVMLM2s= =YSIu -----END PGP SIGNATURE-----

_________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

Follow-Ups:

[PLUG] firewall risk
From: Jeff Abrahamson <jeff@purple.com>

References:

RE: [PLUG] dsl questions
From: "Eugene Smiley" <eugene@esmiley.net>

Prev by Date: Re: [PLUG] "Friends don't let friends use Dell"

Next by Date: [PLUG] firewall risk

Previous by thread: Re: [PLUG] dsl questions

Next by thread: [PLUG] firewall risk

Index(es):

Date

Thread