[H-GEN] mapping ports using iptables
Robert Brockway
robert at timetraveller.org
Sun Jun 30 06:37:31 EDT 2002
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
On Sun, 30 Jun 2002, Sandra Milne wrote:
> Firstly, is it dangerous? Can mapping a port compromise my system in any way?
It depends what you mean by "my system".
If you redirect a port from the firewall back to a machine that would
otherwise be getting Internet access via only NAT or a proxy/cache then
you are now exposing the internal system directly to the Internet. This
system is definately more susceptable to a compromise as it is now exposed
whereas it was not before.
The firewall is no more exposed than it was (except indirectly - someone
compromising a box inside thanks to a redirect may well be able to attack
the firewall from the inside and get on it it far more easily).
> Secondly, if it's not dangerous, can anyone point me to a howto that
I don't like doing proxy redirects unless you take special measures to
harden the internal box (make sure it is not trusted, firewalled off from
important data, etc). Consider the box exposed to the net, because in
reality it is.
> actually explains not only how this is done, but has examples. I've had a
> look around for stuff, but I really don't understand what they're talking
> about half the time. An example that I can modify to suit my own needs
> would be great.
It is a viable solution to some problems, I just suggest being careful
with it. I'll leave it to others to post examples (because there is a hot
shower with my name on it :)
Cheers,
-Rob
-- Robert Brockway B.Sc. email: robert at timetraveller.org ICQ: 104781119
Linux counter project ID #16440 (http://counter.li.org)
avon: up 22 days, 19:25, 3 users, load average: 0.01, 0.03, 0.00
"The earth is but one country and mankind its citizens" -Baha'u'llah
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'. See http://www.humbug.org.au/
More information about the General
mailing list