Re: Redirection to local lan, isn't DNAT method unsafe.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday 01 April 2004 11:20 pm, Alistair Tonner wrote:

> On April 1, 2004 04:55 am, Antony Stone wrote:
>
> > My expectation is that people "out on the Internet" cannot connect to
> > your private IPs (because the addresses are non-routable), therefore the
> > question doesn't arise for them.   People associated with your local
> > network (ie: inside your connection point to the Internet) surely aren't
> > a problem even if they do discover the real private IP address?   Or am I
> > missing something here about what you are trying to secure from whom?
>
> 	Actually I can see one other horrible possibility  --- an ISP with a \28
> net -- where the internal network of the ISP is by neccesity a non
> routeable address space, and is natted within the \28 netowork ... or where
> subscribers are all on non routeable addresses and primary connection
> services are on the \28 space....

Hm, I see what you're saying (and yes, there are a lot of ISPs who run 
networks like this), however I still think that if you're making the service 
available to people on a public IP address (NATted by your firewall to the 
real private address), then why are you particularly bothered about them 
accessing the same service, by its private address?

Okay, it's the way you wanted them to do it, but they can't do any more with 
it than they could by using the public IP.

?

Antony.

-- 
This is not a rehearsal.
This is Real Life.

                                                     Please reply to the list;
                                                           please don't CC me.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux