Re: Kernel-PPP and PF Questions

From: Michel Talon (talon_at_lpthe.jussieu.fr)
Date: 10/27/04

• Next message: Michel Talon: "Re: Using DD to Clone Compact Flash"
• Previous message: Understudy: "Re: Printing issue"
• In reply to: bob prohaska: "Re: Kernel-PPP and PF Questions"
• Next in thread: bob prohaska: "Re: Kernel-PPP and PF Questions"
• Reply: bob prohaska: "Re: Kernel-PPP and PF Questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Wed, 27 Oct 2004 07:49:01 +0000 (UTC)

bob prohaska <bp@fib.eecs.berkeley.edu> wrote:
>
> Sounds like the fundamental question comes down to "Given a decent router,
> is there any reason to use it in bridge mode?". Seems like the only downside
> is needing a dual-horizon DNS (the inside hosts know each other by different
> IP's than outside hosts know them).

One advantage of natting is "security by obscurity". In principle
outside hosts don't know anything of your private net, and don't have
any access to it (as long as the router is not compromised ...). If you
have stateful filtering on the router, you can configure it so that the
router blocks every packet which is not in response to something from
inside. So with just one rule you protect the whole private network.
Usually the router can forward some specific ports (DNS, http etc.) to
particular hosts in the "bastion". This is the case of my Linksys. Hence
you can still offer services from inside. Dual horizon DNS with bind9
is extremely easy. The downside is that the router is accessible from
outside and may be compromised. In bridged mode, the router has no IP
address and there is no way from outsiders to attack it. You have to sit
at the console to configure it. Hence you can filter packets on a
machine which is very hard to compromise, and so protect the first
machine behind the router which will manage the connection.

>
> Thanks for reading!
> bob prohaska
>
>

-- 
Michel TALON

---

• Next message: Michel Talon: "Re: Using DD to Clone Compact Flash"
• Previous message: Understudy: "Re: Printing issue"
• In reply to: bob prohaska: "Re: Kernel-PPP and PF Questions"
• Next in thread: bob prohaska: "Re: Kernel-PPP and PF Questions"
• Reply: bob prohaska: "Re: Kernel-PPP and PF Questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages Re: Route tables ... > gateway does do NAT. ... ethernet card's configuration (which is usually why the lo interface ... One end plugs into their router, ... -- all hosts configured to use same network ... (comp.os.linux.networking) Re: hosts Eintraege werden nicht erkannt ... nur in der hosts Datei stehen (Internet üb. ... LAN->DSL Router ok, DNS IP ist ... Windows-IP-Konfiguration zu den and. ... Ethernetadapter LAN-Verbindung: ... (microsoft.public.de.german.windowsxp.networking) Re: Terrible Web Surfing Speed ... Are you doing NAT at the router or do you have static ... >> random IPs to your internal hosts? ... > And I understand the DNS server addresses can be passed from the ... > I will have to investigate if there is a way for Linux hosts to share ... (comp.os.linux.networking) Re: Help with simple routing ... You need to enter an explicit routing entry ... > only if you want to reach hosts which are not part of the ... > 192.168.2.0/24 net from your Linux router. ... >>ping between them, not to any of the other machines on the network and I ... (comp.os.linux.networking) Re: Terrible Web Surfing Speed ... All hosts are on a LAN behind a Linksys router. ... Perhaps there is a way to set that up with DHCP ... (comp.os.linux.networking)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)