OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: [suse-security] How FW-Router w/o masquerading ?
From: Andreas Fiesser (fiessergmx.net)
Date: Sun Oct 08 2000 - 13:53:43 CDT

I've got an Cisco dial-in ISDN-router to connect a LAN to the InterNet.
Mr. Boss wants a firewall to be placed behind the Cisco.
Now I thought I could set up an old 486/40 box with two NICs and SuSE
7.0 to do the trick.
It's no problem to install the box with an own dial-in device (modem).
It does firewalling and masquerades the LAN nicely.
If I switch of masquerading and set the world device to eth1 (towards
the Cisco), it stops incoming packets from the LAN.
I can watch them com in on eth0 with tcpdump but they don't show up on
eth1 of the "firewall" PC.
They come through when I enable masquerading again but then I get double
MASQ and my LAN boxes get confused.

How can I solve this with yast ?

I'd rather not set up own rule sets before I get deeper into the topic.
I'd like at least the protection that the SuSE dudes could produce with
their sophisticated script.

Btw. I asume real clever hackers get in almost everywhere but they are
rare. On the other hand there are thousands of script kiddies scanning
The Net when they are home from school or the whole day if they have a
flat rate.
Their scanners are pounding our Cisco which presumably doesn't offer
services to the outside itself but does masquerade our LAN.
Is there a potential danger that a subseven probaply lurking in a
LAN-box could answer the call of such a scan and offer it's services to
the attacker ? In other words doesn't masqurading itself offer a good
deal of security since it hides our PCs ?

Later
    Andreas

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com