Subject: Re: ipf rules
To: None <>
From: Wolfgang Rupprecht <>
List: current-users
Date: 12/13/2000 16:04:18 (David Maxwell) writes:
> If your cableco/ISP could _force_ 192.168.x.x destined packets at
> your 'firewall', it would route them with your current rules. Since
> there's no way to add the rule you really need, you need another 
> ethernet card, as I said before.

I'd like to underscore that.

Sending 192.168.x.x addresses to some "cable modems" is trivial.
Until recently my cable connection was via a transparent bridge to
roughly 16,000 other hosts on the Fremont "ethernet".  Yes, that's not
a typo 16 thousand.  The racket on that net was deafening!

Any one of those 16k hosts could send an arp-request for 192.168.x.x
and then proceed to talk to that address.  Amusingly, quite a few
hosts did answer to  (Why are some folks so
unimaginative???  There are 65536 addresses to chose from. ;-))

In any case, a firewall who's security is based solely on the premise
that nobody can route 192.168.x.x addresses to it is severely broken.

       Wolfgang Rupprecht <>
Coming soon: GPS mapping tools for Open Systems.