[1898] in linux-security and linux-alert archive
[linux-security] Re: masquerading
daemon@ATHENA.MIT.EDU (Ed Padin)
Fri Jun 19 01:43:57 1998
From: Ed Padin <epadin@wagweb.com>
To: "'linux-security@redhat.com'" <linux-security@redhat.com>
Date: Wed, 17 Jun 1998 11:20:07 -0400
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
The problem with masquerading is that it does many-to-one NAT. Does your
application support multiple connections from a single IP address?
As far as securing it goes... how about this:
I imagine that your application must use a specific set of ports. Use
ipfwadm to block these ports by default. Make the users flog in via SSH
or some other secure login type setup. Have a script running that, when
they log in, will grab the IP address they log in from and use ipfwadm
commands to open the ports for your application to the client's IP
address. You make another script that close sall these opened
connections every night. This will make the user only have to log in
once a day.
I don't know how this holds up against address spoofing but I don't
think spoofing is very useful without source-routing (which should
always be turned off in your kernel config!)**
** Only 95% sure of this statement so please correct me if need be. My
take is that source spoofing can only be used for break-in attacks when
coupled with source-routing. Source routing is the only way to get
spoofed packets back to the "real" source of the spoofed packets.
Spoofing is still usable and difficult to trace for DoS attacks.
Thanks.
-----Original Message-----
From: Michael Erhard
[mailto:micha@andromeda.lalula.de]
Sent: Tuesday, June 16, 1998 2:59 AM
To: linux-security@redhat.com
Subject: [linux-security] masquerading
Following Situation:
Having an intranet-application that needs to know the
ip-Address of the
clients before running.
Clients anywere in the Internet with any ip-address.
So I thought about using masquerading the opposite way
than normal.
But then anybody could use this application.
Dos anybody know how to make it a little bit more
secure, like proofing
the mac-address of the client, or something like this.
Or maby with ip-ip-tunneling ?
Michael Erhard
--
----------------------------------------------------------------------
Please refer to the information about this list as well
as general
information about Linux security at
http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com
< /dev/null
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null