[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: The ADSL howto with the ip masqurade instructions
- To: Dani Arbel <darbel(at-nospam)techunix.technion.ac.il>
- Subject: Re: The ADSL howto with the ip masqurade instructions
- From: Eran Tromer <eran(at-nospam)tromer.org>
- Date: Sun, 11 Feb 2001 20:07:28 +0300
- CC: linux-il <linux-il(at-nospam)cs.huji.ac.il>
- References: <Pine.SOL.4.10.10102111816270.29882-200000@techunix.technion.ac.il>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
Hello,
A few notes about the ADSL masquerading section:
Dani Arbel wrote:
> Although option b looks strange at the begining, with security problem,
> this is not the case: The internet is connected through a ppp
> interface in your Linux box, and the ethernet segment on ip network
> 10.0.0.0 ends at your adsl's ethernet port.
There is some added risk in option B. If the ADSL modem is on a hub with
the rest of your LAN then it can hear all your LAN traffic. Thus if it
is compromised then you lose all privacy on your LAN. In addition, any
local firewall or authentication method that filter according to network
interface will be circumvented. The ADSL modem runs some pretty complex
software on a general-purpose CPU, and is also rumored to have a
remote-update facility, so this threat is serious. If any sensitive data
moves across your LAN, and unless all machines on the LAN are secure
(rather than relying on a firewall), then consider buying a cheap
10BaseT NIC and dedicating it to the ADSL modem.
> Now run the ipchains rules that enable the ip masqurading.
> Something like this (again, refer to the ip masqurade howto
> for complete description):
These instructions do not apply to kernel 2.4. The HOWOT is not yet
updated and some proxies are apparently not yet implemented, so I
recommend sticking to 2.2 on the masquerading box.
> # Enable simple IP forwarding and Masquerading
> Win2k is similar (find the correct instance of ethernet card by the ip
> number), but you have to add a dword object .
There are a few more differences in Win2K.
The key is
HKEY_LOCAL_MCHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\<interface>
and the value is "MTU" of type DWORD, instead of "MaxMTU" of type
String.
Regards,
Eran Tromer
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il