[1898] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: masquerading

daemon@ATHENA.MIT.EDU (Ed Padin)
Fri Jun 19 01:43:57 1998

From: Ed Padin <epadin@wagweb.com>
To: "'linux-security@redhat.com'" <linux-security@redhat.com>
Date: Wed, 17 Jun 1998 11:20:07 -0400
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

The problem with masquerading is that it does many-to-one NAT. Does your
application support multiple connections from a single IP address? 

As far as securing it goes... how about this:

I imagine that your application must use a specific set of ports. Use
ipfwadm to block these ports by default. Make the users flog in via SSH
or some other secure login type setup. Have a script running that, when
they log in, will grab the IP address they log in from and use ipfwadm
commands to open the ports for your application to the client's IP
address. You make another script that close sall these opened
connections every night. This will make the user only have to log in
once a day. 

I don't know how this holds up against address spoofing but I don't
think spoofing is very useful without source-routing (which should
always be turned off in your kernel config!)**


** Only 95% sure of this statement so please correct me if need be. My
take is that source spoofing can only be used for break-in attacks when
coupled with source-routing. Source routing is the only way to get
spoofed packets back to the "real" source of the spoofed packets.
Spoofing is still usable and difficult to trace for DoS attacks.


Thanks.
		-----Original Message-----
		From:	Michael Erhard
[mailto:micha@andromeda.lalula.de]
		Sent:	Tuesday, June 16, 1998 2:59 AM
		To:	linux-security@redhat.com
		Subject:	[linux-security] masquerading

		Following Situation:
		Having an intranet-application that needs to know the
ip-Address of the
		clients before running.
		Clients anywere in the Internet with any ip-address.
		So I thought about using masquerading the opposite way
than normal.
		But then anybody could use this application.
		Dos anybody know how to make it a little bit more
secure, like proofing
		the mac-address of the client, or something like this.
		Or maby with ip-ip-tunneling ?

		Michael Erhard

		-- 
	
----------------------------------------------------------------------
		Please refer to the information about this list as well
as general
		information about Linux security at
http://www.aoy.com/Linux/Security.
	
----------------------------------------------------------------------

		To unsubscribe:
		  mail -s unsubscribe linux-security-request@redhat.com
< /dev/null

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post