Firewall question

Firewall question

[Alex Davis]

The scenario:
I have a DSL modem in pass through (bridge) mode. The linux firewall/router 
has a single ethernet card.  It is running pppoe. This gives two interfaces: 
eth0 and ppp0. The firewall is running iptables. There are several machines 
behind the firewall.

Problem:
I've been told that if someone whose public IP address is on the same
network subnet as mine were to get my mac address, (s)he could bypass
the firewall and talk directly to the machines behind it.

Is this true?

Thanks.


I code, therefore I am

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: Firewall question

[Lennart Sorensen]

On Thu, Jun 08, 2006 at 11:57:12AM -0700, Alex Davis wrote:
> The scenario:
> I have a DSL modem in pass through (bridge) mode. The linux firewall/router 
> has a single ethernet card.  It is running pppoe. This gives two interfaces: 
> eth0 and ppp0. The firewall is running iptables. There are several machines 
> behind the firewall.
> 
> Problem:
> I've been told that if someone whose public IP address is on the same
> network subnet as mine were to get my mac address, (s)he could bypass
> the firewall and talk directly to the machines behind it.
> 
> Is this true?

Well the DSL modem only transfers whatever data the ISP end sends to it,
which in your case is just PPP packets (LCC or LCP I think).  No one out
on the internet would be able to send ethernet data over the DSL link,
so the only way to send data to another machine on your network (that
the DSL modem is connected to physically) is if you have other machines
on your local network which are also running PPPoE and listening for
that traffic.

So the worst thing I can see happening is that someone on your local
network could potentially take over your PPPoE session, but that's about
it.  I just can't see anything else that could happen.  I used to run
exactly the setup you describe before I had to drop the DSL connection
(I moved).

Len Sorensen

Re: Firewall question

[Andi Kleen]

> Well the DSL modem only transfers whatever data the ISP end sends to it,
> which in your case is just PPP packets (LCC or LCP I think).  No one out
> on the internet 

No one out on the internet, but it would be trivial for someone outside
his house. All his traffic will be on a long unsecured cable. 

That is why I would never bridge home ethernet traffic onto a DSL line.

-Andi

Re: Firewall question

[Lennart Sorensen]

On Fri, Jun 09, 2006 at 05:43:24AM +0200, Andi Kleen wrote:
> No one out on the internet, but it would be trivial for someone outside
> his house. All his traffic will be on a long unsecured cable. 
> 
> That is why I would never bridge home ethernet traffic onto a DSL line.

Hmm, traffic sent between his machines would not go over the DSL since
the MAC address doesn't match the DSL modem (I would think so at
least).  It would be a mess if the DSL modem tried to forwards all
traffic on an ethernet segment (well it doesn't have the bandwidth for
sure).  Maybe I am incorrectly assuming the DSL modem only forwards the
PPPoE traffic being sent at it.  I could see broadcast traffic being
forwarded, although arps and such are generally not that interesting.

Len Sorensen