Subject: Re: ipf rules
To: None <current-users@netbsd.org>
From: Wolfgang Rupprecht <wolfgang@wsrcc.com>
List: current-users
Date: 12/13/2000 16:04:18
david@vex.net (David Maxwell) writes:
> If your cableco/ISP could _force_ 192.168.x.x destined packets at
> your 'firewall', it would route them with your current rules. Since
> there's no way to add the rule you really need, you need another
> ethernet card, as I said before.
I'd like to underscore that.
Sending 192.168.x.x addresses to some "cable modems" is trivial.
Until recently my cable connection was via a transparent bridge to
roughly 16,000 other hosts on the Fremont "ethernet". Yes, that's not
a typo 16 thousand. The racket on that net was deafening!
Any one of those 16k hosts could send an arp-request for 192.168.x.x
and then proceed to talk to that address. Amusingly, quite a few
hosts did answer to 192.168.0.1. (Why are some folks so
unimaginative??? There are 65536 addresses to chose from. ;-))
In any case, a firewall who's security is based solely on the premise
that nobody can route 192.168.x.x addresses to it is severely broken.
-wolfgang
--
Wolfgang Rupprecht <wolfgang+gnus@dailyplanet.wsrcc.com>
http://www.wsrcc.com/wolfgang/
Coming soon: GPS mapping tools for Open Systems. http://www.gnomad-mapping.com/