Pascal Hambourg put forth on 2/21/2011 3:51 PM: > Stan Hoeppner a écrit : >> >> You only need one >> NIC in your firewall box when using a switch. You simply plug >> everything into the switch including the DSL modem and the Netgear. >> Bind both the public and private IP addresses to the same NIC in the >> firewall using a virtual NIC: i.e. eth0 and eth0:1. > > This is a wrong idea because the firewall can be by-passed, leaving a > hole in the LAN security.
Would you mind explaining why you believe this? The DSL modem is an ethernet to ATM bridge and the connection to the DSLAM is point-to-point. So, with my recommended setup, while in theory broadcast packets could reach the other end, typically the DSLAM is going to instantly drop any such packets as they have no valid destination. Thus, nothing on the public side of the bridge is going to know the MAC addresses of internal hosts except the DSLAM, so there's no chance of things like an ARP attack. For this to be a real security issue, any attack must start below the IP level, eliminating any threat from a remote internet host. The attacker would have to be a telco employee generating attack packets from the DSLAM itself. The odds of this are probably lower than being struck by lighting while being attacked by a shark. Remember, the OP has xDSL service, _not_ cable. If he'd said cable, I'd not have recommended what I did, as cable is a shared medium, and broadcast traffic is seen by other customers' equipment on the same segment. What I proposed is perfectly safe for xDSL. For a cable situation, you should have two physical NICs in the firewall to eliminate the possibility of broadcast traffic and things like ARP attacks. -- Stan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d62f904.3040...@hardwarefreak.com