On Mon, Feb 26, 2001 at 09:34:59PM -0800, Jeff Wyman wrote:
> Why all this complicated bridging (the man wants routing) and changing of
> network addresses? I am an ignorant teenager, so correct me if I'm wrong,
> but..
>
Routing does a number of things here. One thing is it adds a hop to the
network. If I am looking over your network to find an attack point I
can focus on this "hop" as I know it is your firewall. Check the
IPF documentation on stealth firewalls.

> I think Greg could:
>
> 1. Run routed to have each interface on the OpenBSD router automatically
> added to the internal routing table. Routed can be run with the
> "-q" switch, which will tell it to keep quiet about announcing its routing
> tables to nearby RIP routers (what's the chances of that these days).
>

There is no need to run routed. The description is a simple /24 inside
and the Internet on the outside. If we go with the routed then we have
a possible security hole. I can send bogus routing information to
the daemon and maybe get it to let me in.

One thing most people forget about security is that the attack can
come from inside. If some fool gets his workstation (read Windows
95) trojaned I do not want that to be used to open me up further.

Trust no one.

> 2. Enter static routes using the "route add" command. From Greg's
> description, it sounds like he just has a simple stub network. Static
> routes will not be hard to manage for a small network like his.
>
You do not need to run routed for static routes.

> For either course of action, the routed and route man pages are your best
> friend.
>

-- 
|
I am not sure how many monkeys it would take to type out the
works of Shakespear. I do know how many cats it would take to spam a
maillist if I leave my computer on.
AA4YU http://www.beekeeper.org http://www.q7.net 

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]