Messages in log with SNAT target

Messages in log with SNAT target

[Anssi Hannula]

Hi!

I've been using this kind of configuration on my Linux router for a few
years:

eth0	80.223.77.223, public internet ip
eth0:0	10.0.0.1, private network ip

IP forwarding enabled.

And a rule for iptables:
-A POSTROUTING -s 10.0.0.0/255.255.255.0 -d ! 10.0.0.0/255.255.255.0 -j
SNAT --to-source 80.223.77.223

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.0.0.0        0.0.0.0         255.255.255.0   U     10     0        0 eth0
80.223.64.0     0.0.0.0         255.255.240.0   U     10     0        0 eth0
0.0.0.0         80.223.64.1     0.0.0.0         UG    10     0        0 eth0


However, I get lots of this kind of messages in the dmesg while routing:
host 10.0.0.4/if2 ignores redirects for 70.35.xxx.xxx to 80.223.64.1.
host 10.0.0.4/if2 ignores redirects for 68.219.xxx.xxx to 80.223.64.1.
host 10.0.0.4/if2 ignores redirects for 193.88.xxx.xxx to 80.223.64.1.
host 10.0.0.4/if2 ignores redirects for 80.81.xxx.xxx to 80.223.64.1.
host 10.0.0.4/if2 ignores redirects for 80.81.xxx.xxx to 80.223.64.1.

10.0.0.4 is a Windows machine in the private network set to use 10.0.0.1
(router) as a gateway. 80.223.64.1 is the ISP gateway. The third ip
number in the log message is the ip number of a server, to which the
10.0.0.4 is connected.

Note that the routing itself works just fine, there is just this log
message flood.

Please advise.

-- 
Anssi Hannula

RE: Messages in log with SNAT target

[Sietse van Zanen]

This means your windows machine does not the use ICMP redirects your firewall sends them. This is only cosmetical in your case. The mesasges are there because both of your networks are on the same physical interface.
 
Split this up and use two different physical interfaces. It is also not a recommended situation you are using.
 
-Sietse

________________________________

From: netfilter-bounces@lists.netfilter.org on behalf of Anssi Hannula
Sent: Mon 24-Jul-06 11:17
To: netfilter@lists.netfilter.org
Subject: Messages in log with SNAT target



Hi!

I've been using this kind of configuration on my Linux router for a few
years:

eth0    80.223.77.223, public internet ip
eth0:0  10.0.0.1, private network ip

IP forwarding enabled.

And a rule for iptables:
-A POSTROUTING -s 10.0.0.0/255.255.255.0 -d ! 10.0.0.0/255.255.255.0 -j
SNAT --to-source 80.223.77.223

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.0.0.0        0.0.0.0         255.255.255.0   U     10     0        0 eth0
80.223.64.0     0.0.0.0         255.255.240.0   U     10     0        0 eth0
0.0.0.0         80.223.64.1     0.0.0.0         UG    10     0        0 eth0


However, I get lots of this kind of messages in the dmesg while routing:
host 10.0.0.4/if2 ignores redirects for 70.35.xxx.xxx to 80.223.64.1.
host 10.0.0.4/if2 ignores redirects for 68.219.xxx.xxx to 80.223.64.1.
host 10.0.0.4/if2 ignores redirects for 193.88.xxx.xxx to 80.223.64.1.
host 10.0.0.4/if2 ignores redirects for 80.81.xxx.xxx to 80.223.64.1.
host 10.0.0.4/if2 ignores redirects for 80.81.xxx.xxx to 80.223.64.1.

10.0.0.4 is a Windows machine in the private network set to use 10.0.0.1
(router) as a gateway. 80.223.64.1 is the ISP gateway. The third ip
number in the log message is the ip number of a server, to which the
10.0.0.4 is connected.

Note that the routing itself works just fine, there is just this log
message flood.

Please advise.

--
Anssi Hannula

Re: Messages in log with SNAT target

[Pascal Hambourg]

Hello,

Anssi Hannula a écrit :
> 
> I've been using this kind of configuration on my Linux router for a few
> years:
> 
> eth0	80.223.77.223, public internet ip
> eth0:0	10.0.0.1, private network ip

You know that having both internet and a private LAN on the same 
interface is a *very* bad idea, don't you ? I suppose you have no other 
choice.

> IP forwarding enabled.
> 
> And a rule for iptables:
> -A POSTROUTING -s 10.0.0.0/255.255.255.0 -d ! 10.0.0.0/255.255.255.0 -j
> SNAT --to-source 80.223.77.223
> 
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 10.0.0.0        0.0.0.0         255.255.255.0   U     10     0        0 eth0
> 80.223.64.0     0.0.0.0         255.255.240.0   U     10     0        0 eth0
> 0.0.0.0         80.223.64.1     0.0.0.0         UG    10     0        0 eth0
> 
> However, I get lots of this kind of messages in the dmesg while routing:
> host 10.0.0.4/if2 ignores redirects for 70.35.xxx.xxx to 80.223.64.1.
[and so on]

Here's what happens. On your router box, all routes use the same 
interface eth0, so when it receives a packet for another destination 
than the box itself, it sends an "ICMP Redirect" message to the source 
IP address meaning "hey, there is a more direct route to destination 
70.35.x.x using gateway 80.223.64.1 instead of me. Please update your 
routing table".

Happily, the 1.0.0.4 host ignores the "ICMP Redirect" messages. One 
reason is I think that's a default behaviour of Windows NT. Another 
reason is that host has probably no direct route to the proposed gateway 
address. Anyway, if it didn't ignore the "ICMP Redirect", it would 
probably lose connectivity with internet hosts because of its private 
address.

Note : destination NAT (DNAT) on the same network blocks the sending of 
"ICMP Redirect" messages by the routing decision, because destination 
NAT takes place before the routing decision. But source NAT (SNAT, 
MASQUERADE) doesn't, because it takes place after the routing decision, 
so it's too late (see Netfilter diagram in 
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.txt).

You can enable or disable the sending of "ICMP Redirect" messages with 
the kernel parameter send_redirect.

send_redirects - BOOLEAN
      Send redirects, if router.
      send_redirects for the interface will be enabled if at least one of
      conf/{all,interface}/send_redirects is set to TRUE,
      it will be disabled otherwise
      Default: TRUE

To disable sending "ICMP redirect" on eth0 :

echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects

or :

sysctl -w net/ipv4/conf/all/send_redirects=0
sysctl -w net/ipv4/conf/eth0/send_redirects=0

RE: Messages in log with SNAT target

[Sietse van Zanen]

It's NOT default behaviour of NT to drop ICMP Redirects.
It IS default behaviour not to accept gateways, that are not on the local subnet. 
This should count for UNIX too, I think.
 
-Sietse

________________________________

From: netfilter-bounces@lists.netfilter.org on behalf of Pascal Hambourg
Sent: Mon 24-Jul-06 12:24
To: netfilter@lists.netfilter.org
Subject: Re: Messages in log with SNAT target



Hello,

Anssi Hannula a écrit :
>
> I've been using this kind of configuration on my Linux router for a few
> years:
>
> eth0  80.223.77.223, public internet ip
> eth0:0        10.0.0.1, private network ip

You know that having both internet and a private LAN on the same
interface is a *very* bad idea, don't you ? I suppose you have no other
choice.

> IP forwarding enabled.
>
> And a rule for iptables:
> -A POSTROUTING -s 10.0.0.0/255.255.255.0 -d ! 10.0.0.0/255.255.255.0 -j
> SNAT --to-source 80.223.77.223
>
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 10.0.0.0        0.0.0.0         255.255.255.0   U     10     0        0 eth0
> 80.223.64.0     0.0.0.0         255.255.240.0   U     10     0        0 eth0
> 0.0.0.0         80.223.64.1     0.0.0.0         UG    10     0        0 eth0
>
> However, I get lots of this kind of messages in the dmesg while routing:
> host 10.0.0.4/if2 ignores redirects for 70.35.xxx.xxx to 80.223.64.1.
[and so on]

Here's what happens. On your router box, all routes use the same
interface eth0, so when it receives a packet for another destination
than the box itself, it sends an "ICMP Redirect" message to the source
IP address meaning "hey, there is a more direct route to destination
70.35.x.x using gateway 80.223.64.1 instead of me. Please update your
routing table".

Happily, the 1.0.0.4 host ignores the "ICMP Redirect" messages. One
reason is I think that's a default behaviour of Windows NT. Another
reason is that host has probably no direct route to the proposed gateway
address. Anyway, if it didn't ignore the "ICMP Redirect", it would
probably lose connectivity with internet hosts because of its private
address.

Note : destination NAT (DNAT) on the same network blocks the sending of
"ICMP Redirect" messages by the routing decision, because destination
NAT takes place before the routing decision. But source NAT (SNAT,
MASQUERADE) doesn't, because it takes place after the routing decision,
so it's too late (see Netfilter diagram in
http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.txt).

You can enable or disable the sending of "ICMP Redirect" messages with
the kernel parameter send_redirect.

send_redirects - BOOLEAN
      Send redirects, if router.
      send_redirects for the interface will be enabled if at least one of
      conf/{all,interface}/send_redirects is set to TRUE,
      it will be disabled otherwise
      Default: TRUE

To disable sending "ICMP redirect" on eth0 :

echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects

or :

sysctl -w net/ipv4/conf/all/send_redirects=0
sysctl -w net/ipv4/conf/eth0/send_redirects=0

Re: Messages in log with SNAT target

[Pascal Hambourg]

Sietse van Zanen a écrit :
> It's NOT default behaviour of NT to drop ICMP Redirects.

You're right, my mistake.
I had tested that some time ago, but I must have made a mistake. I just 
tested again Windows NT4, 2000 and XP as well as Windows 98 and they all 
accept ICMP redirects by default.

> It IS default behaviour not to accept gateways, that are not on the local subnet. 

I hope this is not only default behaviour but permanent fixed behaviour.

RE: Messages in log with SNAT target

[Sietse van Zanen]

Let's make that permanent for UNIX and permanent 'fixed' for Windoze.... :-)

________________________________

From: netfilter-bounces@lists.netfilter.org on behalf of Pascal Hambourg
Sent: Tue 25-Jul-06 15:21
To: netfilter@lists.netfilter.org
Subject: Re: Messages in log with SNAT target



Sietse van Zanen a écrit :
> It's NOT default behaviour of NT to drop ICMP Redirects.

You're right, my mistake.
I had tested that some time ago, but I must have made a mistake. I just
tested again Windows NT4, 2000 and XP as well as Windows 98 and they all
accept ICMP redirects by default.

> It IS default behaviour not to accept gateways, that are not on the local subnet.

I hope this is not only default behaviour but permanent fixed behaviour.

Re: Messages in log with SNAT target

[Anssi Hannula]

Pascal Hambourg wrote:
> Hello,

Hi, and thank you very much for your thorough answer.

> Anssi Hannula a écrit :
> 
>>
>> I've been using this kind of configuration on my Linux router for a few
>> years:
>>
>> eth0    80.223.77.223, public internet ip
>> eth0:0    10.0.0.1, private network ip
> 
> 
> You know that having both internet and a private LAN on the same
> interface is a *very* bad idea, don't you ? I suppose you have no other
> choice.

Oops, I didn't know :((

Is the bad part on it having both of them on the same physical network,
or only the fact that they are on the same interface?

Then again, this is a wireless network where some hosts have
public+private IPs and some hosts private IPs, so I guess it would be
pretty non-practical to have two interfaces on every system which I want
to have public IP too.

What is the security risk here, exactly?

>> IP forwarding enabled.
>>
>> And a rule for iptables:
>> -A POSTROUTING -s 10.0.0.0/255.255.255.0 -d ! 10.0.0.0/255.255.255.0 -j
>> SNAT --to-source 80.223.77.223
>>
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags Metric Ref   
>> Use Iface
>> 10.0.0.0        0.0.0.0         255.255.255.0   U     10     0       
>> 0 eth0
>> 80.223.64.0     0.0.0.0         255.255.240.0   U     10     0       
>> 0 eth0
>> 0.0.0.0         80.223.64.1     0.0.0.0         UG    10     0       
>> 0 eth0
>>
>> However, I get lots of this kind of messages in the dmesg while routing:
>> host 10.0.0.4/if2 ignores redirects for 70.35.xxx.xxx to 80.223.64.1.
> 
> [and so on]
> 
> Here's what happens. On your router box, all routes use the same
> interface eth0, so when it receives a packet for another destination
> than the box itself, it sends an "ICMP Redirect" message to the source
> IP address meaning "hey, there is a more direct route to destination
> 70.35.x.x using gateway 80.223.64.1 instead of me. Please update your
> routing table".
> 
> Happily, the 1.0.0.4 host ignores the "ICMP Redirect" messages. One
> reason is I think that's a default behaviour of Windows NT. Another
> reason is that host has probably no direct route to the proposed gateway
> address. Anyway, if it didn't ignore the "ICMP Redirect", it would
> probably lose connectivity with internet hosts because of its private
> address.
> 
> Note : destination NAT (DNAT) on the same network blocks the sending of
> "ICMP Redirect" messages by the routing decision, because destination
> NAT takes place before the routing decision. But source NAT (SNAT,
> MASQUERADE) doesn't, because it takes place after the routing decision,
> so it's too late (see Netfilter diagram in
> http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.txt).
> 
> You can enable or disable the sending of "ICMP Redirect" messages with
> the kernel parameter send_redirect.
> 
> send_redirects - BOOLEAN
>      Send redirects, if router.
>      send_redirects for the interface will be enabled if at least one of
>      conf/{all,interface}/send_redirects is set to TRUE,
>      it will be disabled otherwise
>      Default: TRUE
> 
> To disable sending "ICMP redirect" on eth0 :
> 
> echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
> echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
> 
> or :
> 
> sysctl -w net/ipv4/conf/all/send_redirects=0
> sysctl -w net/ipv4/conf/eth0/send_redirects=0


-- 
Anssi Hannula

RE: Messages in log with SNAT target

[Sietse van Zanen]

The security risk is, and it is a MAJOR one, especially with WiFi networks is that any PC on the network could just be set up with a private IP on your private network, start sniffing for passwords etc.
 
It's a very, very bad idea to put your public and private WiFi infratructure on the same physical network.
I would say, there's even no point in firewalling this. Firewalling is seperating, you are combining.
 
-Sietse

________________________________

From: netfilter-bounces@lists.netfilter.org on behalf of Anssi Hannula
Sent: Mon 24-Jul-06 13:03
To: netfilter@lists.netfilter.org
Subject: Re: Messages in log with SNAT target



Pascal Hambourg wrote:
> Hello,

Hi, and thank you very much for your thorough answer.

> Anssi Hannula a écrit :
>
>>
>> I've been using this kind of configuration on my Linux router for a few
>> years:
>>
>> eth0    80.223.77.223, public internet ip
>> eth0:0    10.0.0.1, private network ip
>
>
> You know that having both internet and a private LAN on the same
> interface is a *very* bad idea, don't you ? I suppose you have no other
> choice.

Oops, I didn't know :((

Is the bad part on it having both of them on the same physical network,
or only the fact that they are on the same interface?

Then again, this is a wireless network where some hosts have
public+private IPs and some hosts private IPs, so I guess it would be
pretty non-practical to have two interfaces on every system which I want
to have public IP too.

What is the security risk here, exactly?

>> IP forwarding enabled.
>>
>> And a rule for iptables:
>> -A POSTROUTING -s 10.0.0.0/255.255.255.0 -d ! 10.0.0.0/255.255.255.0 -j
>> SNAT --to-source 80.223.77.223
>>
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags Metric Ref  
>> Use Iface
>> 10.0.0.0        0.0.0.0         255.255.255.0   U     10     0      
>> 0 eth0
>> 80.223.64.0     0.0.0.0         255.255.240.0   U     10     0      
>> 0 eth0
>> 0.0.0.0         80.223.64.1     0.0.0.0         UG    10     0      
>> 0 eth0
>>
>> However, I get lots of this kind of messages in the dmesg while routing:
>> host 10.0.0.4/if2 ignores redirects for 70.35.xxx.xxx to 80.223.64.1.
>
> [and so on]
>
> Here's what happens. On your router box, all routes use the same
> interface eth0, so when it receives a packet for another destination
> than the box itself, it sends an "ICMP Redirect" message to the source
> IP address meaning "hey, there is a more direct route to destination
> 70.35.x.x using gateway 80.223.64.1 instead of me. Please update your
> routing table".
>
> Happily, the 1.0.0.4 host ignores the "ICMP Redirect" messages. One
> reason is I think that's a default behaviour of Windows NT. Another
> reason is that host has probably no direct route to the proposed gateway
> address. Anyway, if it didn't ignore the "ICMP Redirect", it would
> probably lose connectivity with internet hosts because of its private
> address.
>
> Note : destination NAT (DNAT) on the same network blocks the sending of
> "ICMP Redirect" messages by the routing decision, because destination
> NAT takes place before the routing decision. But source NAT (SNAT,
> MASQUERADE) doesn't, because it takes place after the routing decision,
> so it's too late (see Netfilter diagram in
> http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.txt).
>
> You can enable or disable the sending of "ICMP Redirect" messages with
> the kernel parameter send_redirect.
>
> send_redirects - BOOLEAN
>      Send redirects, if router.
>      send_redirects for the interface will be enabled if at least one of
>      conf/{all,interface}/send_redirects is set to TRUE,
>      it will be disabled otherwise
>      Default: TRUE
>
> To disable sending "ICMP redirect" on eth0 :
>
> echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
> echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
>
> or :
>
> sysctl -w net/ipv4/conf/all/send_redirects=0
> sysctl -w net/ipv4/conf/eth0/send_redirects=0


--
Anssi Hannula

Re: Messages in log with SNAT target

[Anssi Hannula]

Sietse van Zanen wrote:
> The security risk is, and it is a MAJOR one, especially with WiFi networks is that any PC on the network could just be set up with a private IP on your private network, start sniffing for passwords etc.
>  
> It's a very, very bad idea to put your public and private WiFi infratructure on the same physical network.
> I would say, there's even no point in firewalling this. Firewalling is seperating, you are combining.
>  
> -Sietse

In this case the private network is only a very small home network. I
don't see there being too big a risk of anyone setting up a box with
private IP on the network with harm on their mind. If that would be
possible, wouldn't the security of the whole system be compromised so
much that the private/public separation doesn't matter anymore?

The main purpose of the private IPs here is the ease of use and having
no public IP for a system if so wanted.

> ________________________________
> 
> From: netfilter-bounces@lists.netfilter.org on behalf of Anssi Hannula
> Sent: Mon 24-Jul-06 13:03
> To: netfilter@lists.netfilter.org
> Subject: Re: Messages in log with SNAT target
> 
> 
> 
> Pascal Hambourg wrote:
> 
>>Hello,
> 
> 
> Hi, and thank you very much for your thorough answer.
> 
> 
>>Anssi Hannula a écrit :
>>
>>
>>>I've been using this kind of configuration on my Linux router for a few
>>>years:
>>>
>>>eth0    80.223.77.223, public internet ip
>>>eth0:0    10.0.0.1, private network ip
>>
>>
>>You know that having both internet and a private LAN on the same
>>interface is a *very* bad idea, don't you ? I suppose you have no other
>>choice.
> 
> 
> Oops, I didn't know :((
> 
> Is the bad part on it having both of them on the same physical network,
> or only the fact that they are on the same interface?
> 
> Then again, this is a wireless network where some hosts have
> public+private IPs and some hosts private IPs, so I guess it would be
> pretty non-practical to have two interfaces on every system which I want
> to have public IP too.
> 
> What is the security risk here, exactly?
> 
> 
>>>IP forwarding enabled.
>>>
>>>And a rule for iptables:
>>>-A POSTROUTING -s 10.0.0.0/255.255.255.0 -d ! 10.0.0.0/255.255.255.0 -j
>>>SNAT --to-source 80.223.77.223
>>>
>>>Kernel IP routing table
>>>Destination     Gateway         Genmask         Flags Metric Ref  
>>>Use Iface
>>>10.0.0.0        0.0.0.0         255.255.255.0   U     10     0      
>>>0 eth0
>>>80.223.64.0     0.0.0.0         255.255.240.0   U     10     0      
>>>0 eth0
>>>0.0.0.0         80.223.64.1     0.0.0.0         UG    10     0      
>>>0 eth0
>>>
>>>However, I get lots of this kind of messages in the dmesg while routing:
>>>host 10.0.0.4/if2 ignores redirects for 70.35.xxx.xxx to 80.223.64.1.
>>
>>[and so on]
>>
>>Here's what happens. On your router box, all routes use the same
>>interface eth0, so when it receives a packet for another destination
>>than the box itself, it sends an "ICMP Redirect" message to the source
>>IP address meaning "hey, there is a more direct route to destination
>>70.35.x.x using gateway 80.223.64.1 instead of me. Please update your
>>routing table".
>>
>>Happily, the 1.0.0.4 host ignores the "ICMP Redirect" messages. One
>>reason is I think that's a default behaviour of Windows NT. Another
>>reason is that host has probably no direct route to the proposed gateway
>>address. Anyway, if it didn't ignore the "ICMP Redirect", it would
>>probably lose connectivity with internet hosts because of its private
>>address.
>>
>>Note : destination NAT (DNAT) on the same network blocks the sending of
>>"ICMP Redirect" messages by the routing decision, because destination
>>NAT takes place before the routing decision. But source NAT (SNAT,
>>MASQUERADE) doesn't, because it takes place after the routing decision,
>>so it's too late (see Netfilter diagram in
>>http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.txt).
>>
>>You can enable or disable the sending of "ICMP Redirect" messages with
>>the kernel parameter send_redirect.
>>
>>send_redirects - BOOLEAN
>>     Send redirects, if router.
>>     send_redirects for the interface will be enabled if at least one of
>>     conf/{all,interface}/send_redirects is set to TRUE,
>>     it will be disabled otherwise
>>     Default: TRUE
>>
>>To disable sending "ICMP redirect" on eth0 :
>>
>>echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
>>echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
>>
>>or :
>>
>>sysctl -w net/ipv4/conf/all/send_redirects=0
>>sysctl -w net/ipv4/conf/eth0/send_redirects=0
> 
> 
> 
> --
> Anssi Hannula
> 
> 
> 


-- 
Anssi Hannula

RE: Messages in log with SNAT target

[Sietse van Zanen]

If it's your home network and you've encrypted your WiFi connection, it would be minor personal risks.
 
I would never do this in a major company however.
 
But if it's anyhow possible for you, I would still advise you to split it up, it'll make things more comprehensible and easier to manage.
 
-Sietse

________________________________

From: Anssi Hannula [mailto:anssi.hannula@gmail.com]
Sent: Mon 24-Jul-06 14:01
To: Sietse van Zanen
Cc: netfilter@lists.netfilter.org
Subject: Re: Messages in log with SNAT target



Sietse van Zanen wrote:
> The security risk is, and it is a MAJOR one, especially with WiFi networks is that any PC on the network could just be set up with a private IP on your private network, start sniffing for passwords etc.
> 
> It's a very, very bad idea to put your public and private WiFi infratructure on the same physical network.
> I would say, there's even no point in firewalling this. Firewalling is seperating, you are combining.
> 
> -Sietse

In this case the private network is only a very small home network. I
don't see there being too big a risk of anyone setting up a box with
private IP on the network with harm on their mind. If that would be
possible, wouldn't the security of the whole system be compromised so
much that the private/public separation doesn't matter anymore?

The main purpose of the private IPs here is the ease of use and having
no public IP for a system if so wanted.

> ________________________________
>
> From: netfilter-bounces@lists.netfilter.org on behalf of Anssi Hannula
> Sent: Mon 24-Jul-06 13:03
> To: netfilter@lists.netfilter.org
> Subject: Re: Messages in log with SNAT target
>
>
>
> Pascal Hambourg wrote:
>
>>Hello,
>
>
> Hi, and thank you very much for your thorough answer.
>
>
>>Anssi Hannula a écrit :
>>
>>
>>>I've been using this kind of configuration on my Linux router for a few
>>>years:
>>>
>>>eth0    80.223.77.223, public internet ip
>>>eth0:0    10.0.0.1, private network ip
>>
>>
>>You know that having both internet and a private LAN on the same
>>interface is a *very* bad idea, don't you ? I suppose you have no other
>>choice.
>
>
> Oops, I didn't know :((
>
> Is the bad part on it having both of them on the same physical network,
> or only the fact that they are on the same interface?
>
> Then again, this is a wireless network where some hosts have
> public+private IPs and some hosts private IPs, so I guess it would be
> pretty non-practical to have two interfaces on every system which I want
> to have public IP too.
>
> What is the security risk here, exactly?
>
>
>>>IP forwarding enabled.
>>>
>>>And a rule for iptables:
>>>-A POSTROUTING -s 10.0.0.0/255.255.255.0 -d ! 10.0.0.0/255.255.255.0 -j
>>>SNAT --to-source 80.223.77.223
>>>
>>>Kernel IP routing table
>>>Destination     Gateway         Genmask         Flags Metric Ref 
>>>Use Iface
>>>10.0.0.0        0.0.0.0         255.255.255.0   U     10     0     
>>>0 eth0
>>>80.223.64.0     0.0.0.0         255.255.240.0   U     10     0     
>>>0 eth0
>>>0.0.0.0         80.223.64.1     0.0.0.0         UG    10     0     
>>>0 eth0
>>>
>>>However, I get lots of this kind of messages in the dmesg while routing:
>>>host 10.0.0.4/if2 ignores redirects for 70.35.xxx.xxx to 80.223.64.1.
>>
>>[and so on]
>>
>>Here's what happens. On your router box, all routes use the same
>>interface eth0, so when it receives a packet for another destination
>>than the box itself, it sends an "ICMP Redirect" message to the source
>>IP address meaning "hey, there is a more direct route to destination
>>70.35.x.x using gateway 80.223.64.1 instead of me. Please update your
>>routing table".
>>
>>Happily, the 1.0.0.4 host ignores the "ICMP Redirect" messages. One
>>reason is I think that's a default behaviour of Windows NT. Another
>>reason is that host has probably no direct route to the proposed gateway
>>address. Anyway, if it didn't ignore the "ICMP Redirect", it would
>>probably lose connectivity with internet hosts because of its private
>>address.
>>
>>Note : destination NAT (DNAT) on the same network blocks the sending of
>>"ICMP Redirect" messages by the routing decision, because destination
>>NAT takes place before the routing decision. But source NAT (SNAT,
>>MASQUERADE) doesn't, because it takes place after the routing decision,
>>so it's too late (see Netfilter diagram in
>>http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.txt).
>>
>>You can enable or disable the sending of "ICMP Redirect" messages with
>>the kernel parameter send_redirect.
>>
>>send_redirects - BOOLEAN
>>     Send redirects, if router.
>>     send_redirects for the interface will be enabled if at least one of
>>     conf/{all,interface}/send_redirects is set to TRUE,
>>     it will be disabled otherwise
>>     Default: TRUE
>>
>>To disable sending "ICMP redirect" on eth0 :
>>
>>echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
>>echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
>>
>>or :
>>
>>sysctl -w net/ipv4/conf/all/send_redirects=0
>>sysctl -w net/ipv4/conf/eth0/send_redirects=0
>
>
>
> --
> Anssi Hannula
>
>
>


--
Anssi Hannula

Re: Messages in log with SNAT target

[Anssi Hannula]

Sietse van Zanen wrote:
> If it's your home network and you've encrypted your WiFi connection, it would be minor personal risks.

Yep.

> I would never do this in a major company however.

Neither would I. On a major company of course the whole internal network
would be behind an appropriate router with no public IPs inside the network.

> But if it's anyhow possible for you, I would still advise you to split it up, it'll make things more comprehensible and easier to manage.

Well, splitting the network to two physical networks in my case would be
pretty difficult, as one might sometimes want to momentarily have a
public IP on a system that normally has a private IP (it's hard
especially if that system is a laptop on WLAN).

Anyway, thanks for your replies.



> -Sietse
> 
> ________________________________
> 
> From: Anssi Hannula [mailto:anssi.hannula@gmail.com]
> Sent: Mon 24-Jul-06 14:01
> To: Sietse van Zanen
> Cc: netfilter@lists.netfilter.org
> Subject: Re: Messages in log with SNAT target
> 
> 
> 
> Sietse van Zanen wrote:
> 
>>The security risk is, and it is a MAJOR one, especially with WiFi networks is that any PC on the network could just be set up with a private IP on your private network, start sniffing for passwords etc.
>>
>>It's a very, very bad idea to put your public and private WiFi infratructure on the same physical network.
>>I would say, there's even no point in firewalling this. Firewalling is seperating, you are combining.
>>
>>-Sietse
> 
> 
> In this case the private network is only a very small home network. I
> don't see there being too big a risk of anyone setting up a box with
> private IP on the network with harm on their mind. If that would be
> possible, wouldn't the security of the whole system be compromised so
> much that the private/public separation doesn't matter anymore?
> 
> The main purpose of the private IPs here is the ease of use and having
> no public IP for a system if so wanted.
> 
> 
>>________________________________
>>
>>From: netfilter-bounces@lists.netfilter.org on behalf of Anssi Hannula
>>Sent: Mon 24-Jul-06 13:03
>>To: netfilter@lists.netfilter.org
>>Subject: Re: Messages in log with SNAT target
>>
>>
>>
>>Pascal Hambourg wrote:
>>
>>
>>>Hello,
>>
>>
>>Hi, and thank you very much for your thorough answer.
>>
>>
>>
>>>Anssi Hannula a écrit :
>>>
>>>
>>>
>>>>I've been using this kind of configuration on my Linux router for a few
>>>>years:
>>>>
>>>>eth0    80.223.77.223, public internet ip
>>>>eth0:0    10.0.0.1, private network ip
>>>
>>>
>>>You know that having both internet and a private LAN on the same
>>>interface is a *very* bad idea, don't you ? I suppose you have no other
>>>choice.
>>
>>
>>Oops, I didn't know :((
>>
>>Is the bad part on it having both of them on the same physical network,
>>or only the fact that they are on the same interface?
>>
>>Then again, this is a wireless network where some hosts have
>>public+private IPs and some hosts private IPs, so I guess it would be
>>pretty non-practical to have two interfaces on every system which I want
>>to have public IP too.
>>
>>What is the security risk here, exactly?
>>
>>
>>
>>>>IP forwarding enabled.
>>>>
>>>>And a rule for iptables:
>>>>-A POSTROUTING -s 10.0.0.0/255.255.255.0 -d ! 10.0.0.0/255.255.255.0 -j
>>>>SNAT --to-source 80.223.77.223
>>>>
>>>>Kernel IP routing table
>>>>Destination     Gateway         Genmask         Flags Metric Ref 
>>>>Use Iface
>>>>10.0.0.0        0.0.0.0         255.255.255.0   U     10     0     
>>>>0 eth0
>>>>80.223.64.0     0.0.0.0         255.255.240.0   U     10     0     
>>>>0 eth0
>>>>0.0.0.0         80.223.64.1     0.0.0.0         UG    10     0     
>>>>0 eth0
>>>>
>>>>However, I get lots of this kind of messages in the dmesg while routing:
>>>>host 10.0.0.4/if2 ignores redirects for 70.35.xxx.xxx to 80.223.64.1.
>>>
>>>[and so on]
>>>
>>>Here's what happens. On your router box, all routes use the same
>>>interface eth0, so when it receives a packet for another destination
>>>than the box itself, it sends an "ICMP Redirect" message to the source
>>>IP address meaning "hey, there is a more direct route to destination
>>>70.35.x.x using gateway 80.223.64.1 instead of me. Please update your
>>>routing table".
>>>
>>>Happily, the 1.0.0.4 host ignores the "ICMP Redirect" messages. One
>>>reason is I think that's a default behaviour of Windows NT. Another
>>>reason is that host has probably no direct route to the proposed gateway
>>>address. Anyway, if it didn't ignore the "ICMP Redirect", it would
>>>probably lose connectivity with internet hosts because of its private
>>>address.
>>>
>>>Note : destination NAT (DNAT) on the same network blocks the sending of
>>>"ICMP Redirect" messages by the routing decision, because destination
>>>NAT takes place before the routing decision. But source NAT (SNAT,
>>>MASQUERADE) doesn't, because it takes place after the routing decision,
>>>so it's too late (see Netfilter diagram in
>>>http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO.txt).
>>>
>>>You can enable or disable the sending of "ICMP Redirect" messages with
>>>the kernel parameter send_redirect.
>>>
>>>send_redirects - BOOLEAN
>>>    Send redirects, if router.
>>>    send_redirects for the interface will be enabled if at least one of
>>>    conf/{all,interface}/send_redirects is set to TRUE,
>>>    it will be disabled otherwise
>>>    Default: TRUE
>>>
>>>To disable sending "ICMP redirect" on eth0 :
>>>
>>>echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
>>>echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
>>>
>>>or :
>>>
>>>sysctl -w net/ipv4/conf/all/send_redirects=0
>>>sysctl -w net/ipv4/conf/eth0/send_redirects=0
>>
>>
>>--
>>Anssi Hannula
>>
> 
> --
> Anssi Hannula
> 

-- 
Anssi Hannula

Re: Messages in log with SNAT target

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 24 Jul 2006, Anssi Hannula wrote:

> Sietse van Zanen wrote:
>> The security risk is, and it is a MAJOR one, especially with WiFi networks is that any PC on the network could just be set up with a private IP on your private network, start sniffing for passwords etc.
>>
>> It's a very, very bad idea to put your public and private WiFi infratructure on the same physical network.
>> I would say, there's even no point in firewalling this. Firewalling is seperating, you are combining.
>>
>> -Sietse
>
> In this case the private network is only a very small home network. I
> don't see there being too big a risk of anyone setting up a box with
> private IP on the network with harm on their mind. If that would be
> possible, wouldn't the security of the whole system be compromised so
> much that the private/public separation doesn't matter anymore?
>
> The main purpose of the private IPs here is the ease of use and having
> no public IP for a system if so wanted.


Hopefully, for yer sake, you are the only home for mile and miles 
around....Yet, I doubt such is the case, so you are a risk to all sadly.


Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFExrnlst+vzJSwZikRAmJzAKCtIckZvIFANrjxCKXZABSjyef5agCfUGQa
2E9jKQ6ooFwZUHzFZWTIYaI=
=OlhV
-----END PGP SIGNATURE-----

Re: Messages in log with SNAT target

[Anssi Hannula]

R. DuFresne wrote:
> On Mon, 24 Jul 2006, Anssi Hannula wrote:
> 
>>> Sietse van Zanen wrote:
>>>
>>>> The security risk is, and it is a MAJOR one, especially with WiFi
>>>> networks is that any PC on the network could just be set up with a
>>>> private IP on your private network, start sniffing for passwords etc.
>>>>
>>>> It's a very, very bad idea to put your public and private WiFi
>>>> infratructure on the same physical network.
>>>> I would say, there's even no point in firewalling this. Firewalling
>>>> is seperating, you are combining.
>>>>
>>>> -Sietse
>>>
>>>
>>> In this case the private network is only a very small home network. I
>>> don't see there being too big a risk of anyone setting up a box with
>>> private IP on the network with harm on their mind. If that would be
>>> possible, wouldn't the security of the whole system be compromised so
>>> much that the private/public separation doesn't matter anymore?
>>>
>>> The main purpose of the private IPs here is the ease of use and having
>>> no public IP for a system if so wanted.
> 
> 
> 
> Hopefully, for yer sake, you are the only home for mile and miles
> around....Yet, I doubt such is the case, so you are a risk to all sadly.
> 

So, what do you suggest, then?

That I have 2 separate wireless networks, one for the internet and one
for the private network?

(the WLAN is of course WPA encrypted)

-- 
Anssi Hannula

RE: Messages in log with SNAT target

[Sietse van Zanen]

That, or put your WiFi in a DMZ behind a firewall, and have the firewall protect your private network.
 
Making WiFi DMZ's is sort of standard practice.
 
-sietse

________________________________

From: Anssi Hannula [mailto:anssi.hannula@gmail.com]
Sent: Wed 26-Jul-06 10:16
To: R. DuFresne
Cc: Sietse van Zanen; netfilter@lists.netfilter.org
Subject: Re: Messages in log with SNAT target



R. DuFresne wrote:
> On Mon, 24 Jul 2006, Anssi Hannula wrote:
>
>>> Sietse van Zanen wrote:
>>>
>>>> The security risk is, and it is a MAJOR one, especially with WiFi
>>>> networks is that any PC on the network could just be set up with a
>>>> private IP on your private network, start sniffing for passwords etc.
>>>>
>>>> It's a very, very bad idea to put your public and private WiFi
>>>> infratructure on the same physical network.
>>>> I would say, there's even no point in firewalling this. Firewalling
>>>> is seperating, you are combining.
>>>>
>>>> -Sietse
>>>
>>>
>>> In this case the private network is only a very small home network. I
>>> don't see there being too big a risk of anyone setting up a box with
>>> private IP on the network with harm on their mind. If that would be
>>> possible, wouldn't the security of the whole system be compromised so
>>> much that the private/public separation doesn't matter anymore?
>>>
>>> The main purpose of the private IPs here is the ease of use and having
>>> no public IP for a system if so wanted.
>
>
>
> Hopefully, for yer sake, you are the only home for mile and miles
> around....Yet, I doubt such is the case, so you are a risk to all sadly.
>

So, what do you suggest, then?

That I have 2 separate wireless networks, one for the internet and one
for the private network?

(the WLAN is of course WPA encrypted)

--
Anssi Hannula

Re: Messages in log with SNAT target

[Anssi Hannula]

Sietse van Zanen wrote:
> That, or put your WiFi in a DMZ behind a firewall, and have the firewall protect your private network.
>  
> Making WiFi DMZ's is sort of standard practice.
>  
> -sietse

I don't really get it.

As far as I can see, there are currently two weak points in my network:
1. Someone could compromise one of the hosts remotely.
2. Someone could crack the WLAN encryption.

No matter what kind of firewalls or network schemes I deploy, neither of
those points goes away.


> ________________________________
> 
> From: Anssi Hannula [mailto:anssi.hannula@gmail.com]
> Sent: Wed 26-Jul-06 10:16
> To: R. DuFresne
> Cc: Sietse van Zanen; netfilter@lists.netfilter.org
> Subject: Re: Messages in log with SNAT target
> 
> 
> 
> R. DuFresne wrote:
> 
>>On Mon, 24 Jul 2006, Anssi Hannula wrote:
>>
>>
>>>>Sietse van Zanen wrote:
>>>>
>>>>
>>>>>The security risk is, and it is a MAJOR one, especially with WiFi
>>>>>networks is that any PC on the network could just be set up with a
>>>>>private IP on your private network, start sniffing for passwords etc.
>>>>>
>>>>>It's a very, very bad idea to put your public and private WiFi
>>>>>infratructure on the same physical network.
>>>>>I would say, there's even no point in firewalling this. Firewalling
>>>>>is seperating, you are combining.
>>>>>
>>>>>-Sietse
>>>>
>>>>
>>>>In this case the private network is only a very small home network. I
>>>>don't see there being too big a risk of anyone setting up a box with
>>>>private IP on the network with harm on their mind. If that would be
>>>>possible, wouldn't the security of the whole system be compromised so
>>>>much that the private/public separation doesn't matter anymore?
>>>>
>>>>The main purpose of the private IPs here is the ease of use and having
>>>>no public IP for a system if so wanted.
>>
>>
>>
>>Hopefully, for yer sake, you are the only home for mile and miles
>>around....Yet, I doubt such is the case, so you are a risk to all sadly.
>>
> 
> 
> So, what do you suggest, then?
> 
> That I have 2 separate wireless networks, one for the internet and one
> for the private network?
> 
> (the WLAN is of course WPA encrypted)
> 
> --
> Anssi Hannula
> 
> 


-- 
Anssi Hannula

RE: Messages in log with SNAT target

[Sietse van Zanen]

The important issue you have is not WHAT somebody can hack. It's what somebody can DO and ACCESS, WHEN you've been hacked.
 
If somebody does manage to take over one of your systems, he most certainly gains access to ALL to systems on the same physical (sub)network. As ALL your systems are on the same net, draw the conclusion.
 
Combine that conclusion with the innate vulnerability of WiFi networks and do the math. It's unwise to use your set up. period. It's not for nothing that reccomendations always talk about shielding your WiFi with a firewall. Now for personal use, it might be acceptable to do otherwise, but that's up to you, as always the choice is between security and convenience.
 
-Sietse

________________________________

From: Anssi Hannula [mailto:anssi.hannula@gmail.com]
Sent: Wed 26-Jul-06 13:21
To: Sietse van Zanen
Cc: R. DuFresne; netfilter@lists.netfilter.org
Subject: Re: Messages in log with SNAT target



Sietse van Zanen wrote:
> That, or put your WiFi in a DMZ behind a firewall, and have the firewall protect your private network.
> 
> Making WiFi DMZ's is sort of standard practice.
> 
> -sietse

I don't really get it.

As far as I can see, there are currently two weak points in my network:
1. Someone could compromise one of the hosts remotely.
2. Someone could crack the WLAN encryption.

No matter what kind of firewalls or network schemes I deploy, neither of
those points goes away.


> ________________________________
>
> From: Anssi Hannula [mailto:anssi.hannula@gmail.com]
> Sent: Wed 26-Jul-06 10:16
> To: R. DuFresne
> Cc: Sietse van Zanen; netfilter@lists.netfilter.org
> Subject: Re: Messages in log with SNAT target
>
>
>
> R. DuFresne wrote:
>
>>On Mon, 24 Jul 2006, Anssi Hannula wrote:
>>
>>
>>>>Sietse van Zanen wrote:
>>>>
>>>>
>>>>>The security risk is, and it is a MAJOR one, especially with WiFi
>>>>>networks is that any PC on the network could just be set up with a
>>>>>private IP on your private network, start sniffing for passwords etc.
>>>>>
>>>>>It's a very, very bad idea to put your public and private WiFi
>>>>>infratructure on the same physical network.
>>>>>I would say, there's even no point in firewalling this. Firewalling
>>>>>is seperating, you are combining.
>>>>>
>>>>>-Sietse
>>>>
>>>>
>>>>In this case the private network is only a very small home network. I
>>>>don't see there being too big a risk of anyone setting up a box with
>>>>private IP on the network with harm on their mind. If that would be
>>>>possible, wouldn't the security of the whole system be compromised so
>>>>much that the private/public separation doesn't matter anymore?
>>>>
>>>>The main purpose of the private IPs here is the ease of use and having
>>>>no public IP for a system if so wanted.
>>
>>
>>
>>Hopefully, for yer sake, you are the only home for mile and miles
>>around....Yet, I doubt such is the case, so you are a risk to all sadly.
>>
>
>
> So, what do you suggest, then?
>
> That I have 2 separate wireless networks, one for the internet and one
> for the private network?
>
> (the WLAN is of course WPA encrypted)
>
> --
> Anssi Hannula
>
>


--
Anssi Hannula

Re: Messages in log with SNAT target

[Anssi Hannula]

Sietse van Zanen wrote:
> The important issue you have is not WHAT somebody can hack. It's what somebody can DO and ACCESS, WHEN you've been hacked.
>  
> If somebody does manage to take over one of your systems, he most certainly gains access to ALL to systems on the same physical (sub)network. As ALL your systems are on the same net, draw the conclusion.
>  
> Combine that conclusion with the innate vulnerability of WiFi networks and do the math. It's unwise to use your set up. period. It's not for nothing that reccomendations always talk about shielding your WiFi with a firewall. Now for personal use, it might be acceptable to do otherwise, but that's up to you, as always the choice is between security and convenience.

Thanks for your reply. Unfortunately, you do not seem to offer any
alternative to my current setup.

Do you suggest that having all the systems on the same physical network
is unwise? If yes, should I have multiple subnetworks for my *home
network*, that has only 3 hosts, of which I want public IP for 2-3 hosts.

You seem to suggest that one should shield the WLAN with a firewall.
Where would that firewall go? Between the WLAN and the only host that
doesn't usually need to have public access from the internet? But the
WLAN adapter is *in* the laptop, so that would have to be a software
firewall. But wait, what would we want to block? All incoming traffic?

It seems you don't know enough of my network, so here's the scheme:

ADSL modem, no natting.
WLAN access point connected to the ADSL modem, no natting.
Host 1 with private+public IP, needs to have public access from
internet, connected to WLAN AP via wireless.
Host 2 with private+public IP, needs to have public access from
internet, connected to ADSL modem via ethernet.
Host 3 with private IP only, connected to WLAN AP via wireless, routed
through Host 1.

If you have any suggestion to make this better, feel free to do so.


> ________________________________
> 
> From: Anssi Hannula [mailto:anssi.hannula@gmail.com]
> Sent: Wed 26-Jul-06 13:21
> To: Sietse van Zanen
> Cc: R. DuFresne; netfilter@lists.netfilter.org
> Subject: Re: Messages in log with SNAT target
> 
> 
> 
> Sietse van Zanen wrote:
> 
>>That, or put your WiFi in a DMZ behind a firewall, and have the firewall protect your private network.
>>
>>Making WiFi DMZ's is sort of standard practice.
>>
>>-sietse
> 
> 
> I don't really get it.
> 
> As far as I can see, there are currently two weak points in my network:
> 1. Someone could compromise one of the hosts remotely.
> 2. Someone could crack the WLAN encryption.
> 
> No matter what kind of firewalls or network schemes I deploy, neither of
> those points goes away.
> 
> 
> 
>>________________________________
>>
>>From: Anssi Hannula [mailto:anssi.hannula@gmail.com]
>>Sent: Wed 26-Jul-06 10:16
>>To: R. DuFresne
>>Cc: Sietse van Zanen; netfilter@lists.netfilter.org
>>Subject: Re: Messages in log with SNAT target
>>
>>
>>
>>R. DuFresne wrote:
>>
>>
>>>On Mon, 24 Jul 2006, Anssi Hannula wrote:
>>>
>>>
>>>
>>>>>Sietse van Zanen wrote:
>>>>>
>>>>>
>>>>>
>>>>>>The security risk is, and it is a MAJOR one, especially with WiFi
>>>>>>networks is that any PC on the network could just be set up with a
>>>>>>private IP on your private network, start sniffing for passwords etc.
>>>>>>
>>>>>>It's a very, very bad idea to put your public and private WiFi
>>>>>>infratructure on the same physical network.
>>>>>>I would say, there's even no point in firewalling this. Firewalling
>>>>>>is seperating, you are combining.
>>>>>>
>>>>>>-Sietse
>>>>>
>>>>>
>>>>>In this case the private network is only a very small home network. I
>>>>>don't see there being too big a risk of anyone setting up a box with
>>>>>private IP on the network with harm on their mind. If that would be
>>>>>possible, wouldn't the security of the whole system be compromised so
>>>>>much that the private/public separation doesn't matter anymore?
>>>>>
>>>>>The main purpose of the private IPs here is the ease of use and having
>>>>>no public IP for a system if so wanted.
>>>
>>>
>>>
>>>Hopefully, for yer sake, you are the only home for mile and miles
>>>around....Yet, I doubt such is the case, so you are a risk to all sadly.
>>>
>>
>>
>>So, what do you suggest, then?
>>
>>That I have 2 separate wireless networks, one for the internet and one
>>for the private network?
>>
>>(the WLAN is of course WPA encrypted)
>>
>>--
>>Anssi Hannula
>>
> 
> --
> Anssi Hannula
> 
> 


-- 
Anssi Hannula

Re: Messages in log with SNAT target

[R. DuFresne]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 26 Jul 2006, Anssi Hannula wrote:

> Sietse van Zanen wrote:
>> The important issue you have is not WHAT somebody can hack. It's what somebody can DO and ACCESS, WHEN you've been hacked.
>>
>> If somebody does manage to take over one of your systems, he most certainly gains access to ALL to systems on the same physical (sub)network. As ALL your systems are on the same net, draw the conclusion.
>>
>> Combine that conclusion with the innate vulnerability of WiFi networks and do the math. It's unwise to use your set up. period. It's not for nothing that reccomendations always talk about shielding your WiFi with a firewall. Now for personal use, it might be acceptable to do otherwise, but that's up to you, as always the choice is between security and convenience.
>
> Thanks for your reply. Unfortunately, you do not seem to offer any
> alternative to my current setup.


Actually he did offer an alternative, though you had to read carefully his 
answer;  go with a wired set of networks, both distinct from one another.

Firewall those networks, adding further isolation from eachother and from 
the publc internet at large.

Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFEyQ9/st+vzJSwZikRAgFiAJ0VfuNg1mknLLCIEBwNixGOYiqehwCguxIU
L30Qlwza8HKr9oYDgwp+viE=
=G+zy
-----END PGP SIGNATURE-----

Re: Messages in log with SNAT target

[Anssi Hannula]

R. DuFresne wrote:
> On Wed, 26 Jul 2006, Anssi Hannula wrote:
> 
>>> Sietse van Zanen wrote:
>>>
>>>> The important issue you have is not WHAT somebody can hack. It's what
>>>> somebody can DO and ACCESS, WHEN you've been hacked.
>>>>
>>>> If somebody does manage to take over one of your systems, he most
>>>> certainly gains access to ALL to systems on the same physical
>>>> (sub)network. As ALL your systems are on the same net, draw the
>>>> conclusion.
>>>>
>>>> Combine that conclusion with the innate vulnerability of WiFi
>>>> networks and do the math. It's unwise to use your set up. period.
>>>> It's not for nothing that reccomendations always talk about shielding
>>>> your WiFi with a firewall. Now for personal use, it might be
>>>> acceptable to do otherwise, but that's up to you, as always the
>>>> choice is between security and convenience.
>>>
>>>
>>> Thanks for your reply. Unfortunately, you do not seem to offer any
>>> alternative to my current setup.
> 
> Actually he did offer an alternative, though you had to read carefully
> his answer;  go with a wired set of networks, both distinct from one
> another.

Well, I can't go with wired network, especially with the laptop. I
consider WLAN with a proper WPA encryption to be sufficiently secure for
my purposes.

> Firewall those networks, adding further isolation from eachother and
> from the publc internet at large.

But if these are two distinct networks (the first one being connected to
internet and the workstations, the second one connected to workstations
only), what do you mean by "firewalling" them?

There cannot be any blocking of traffic on the first network, as the
whole purpose of the network is to allow connections from the internet.

The second network contains only internal traffic, and blocking any of
that would result in trouble only.

People, thanks for your concern over my network security, but I don't
really think I can achieve much better security by rewiring my network
differently. The biggest security problem I have is the possibility of
vulnerabilities in the server software, and if such a vulnerability gets
exploited, no firewall will help me then. I have to just make sure that
doesn't happen.

-- 
Anssi Hannula