Date: Wed, 14 Jun 2000 10:56:18 -0500 From: Rocky McGaugh <rmcgaugh@atipa.com> Subject: Re: kclug - cable/dsl Message-ID: <Pine.LNX.4.21.0006140946450.12311-100000@boom.atipa>
On 13 Jun 2000, Mike Coleman wrote:
> Tony Hammitt <thammitt@kc.rr.com> writes:
> > With linux, there is never any compelling reason (at home)
> > to have multiple NICs. I doubt that anyone needs a lot of
> > extra bandwidth. IP aliasing is ridiculously easy to set up,
> > so all those people who claim to need two NICs to run a
> > firewall are misinformed. Once DCHP is established, run
> > 'ifconfig eth0:1 <local IP address>' Now you can have a
> > static /etc/hosts files and place to forward IP packets to.
>
> Hmm, so you only have one NIC on your masquerading machine? This seems a
> little iffy. Doesn't that potentially allow traffic from your interior
> network to leak out onto RR's network (where it might be sniffed, etc)?
>
> --Mike
>
i agree that i also dont think this is sufficent. One rule that should
always be in your firewall scripts is to check that IP's are not being
spoofed (like a 10. coming in through your external interface). Although
both 'ipchains' and 'route' are supposed to fully support the ip aliasing
dev's, i have never gotten linux to correctly restrict things by aliased
devices. the "-i eth0:1" seems to act just like "-i eth0" to ipchains.
anyone else had different experiences? if there's some way to make it
work, i'd like to know..:)
-- Rocky McGaugh rmcgaugh@atipa.com============================================================ Mailing list powered by: Majordomo 1.94.5 To unsubscribe from this list, send mail to majordomo@kclug.org and in the body put: unsubscribe kclug ============================================================
--------------D1C33152D7F23BC872FDDD9E