Menu
▾
▴
Re: [coLinux-devel] A different networking config...
|
From: <ch...@to...> - 2004-03-23 19:58:41
|
I did not mean so much a filtering bridge like that just a virtual layer2 bridge between the physical card and eth0 with a public ip on eth0 then a full TCP/IP connection between eth0:1 and a second tap with private addresses. But the filtering bridge may be possible as well. Dependending on how the ISP is set up nothing should be coming down the pipe but TCP/IP but you never know. netbeui is unroutable so the attacker would have to be on your side of any router.(or have a way of getting there) A Linux box with IPTables setup would be just as vunerable if it had an IPX stack or a HyperSCSI driver. (scsi over raw ethernet like iSCSI but without the TCP/IP overhead) That is why a dedicated firewall is always best. With a little carefull setting up of windows It should be good enough security chris > Hey, > > On Tue, 23 Mar 2004 ch...@to... wrote: >> Disclaimer: IANAMCSE and IANAcLD >> If the bridging is setup correctly then only the ethernet level of the >> stack should be used for the unfiltered data because windows does not >> have an address on the physical lan all TCP/IP trafic will be filtered. > > You're right! I didn't look at it the right way, now did I? :^P > Didn't think about bridging. I'm very NAT-centered.... > > I've never done the "filtering bridge" setup before. But > it's a thoroughly cool method. If you haven't heard about it, > here's a decent page Google coughed up: > > http://ezine.daemonnews.org/200211/ipfilter-bridge.html > > and there are plenty more out there about configuring xBSD as a > filtering bridge. In short, (I hope I'm summarizing this correctly, > please correct me if I'm not) this is a network box configured > without an IP address on either its up- or down-stream interfaces. > This means it's more or less "invisible" but still filters > packets. Keeps crackers from knowing it's there, and makes > it very difficult to break into as well. > > If Windows can work in a similar way, bridging without an IP address > on its outside Network Connection, this would eliminate a significant > vulnerability space and might just do what you want. Anyone else > out there know if this is possible (IANAMCSE, either :^)? > > Clemmitt |
