Gavin Clark wrote:
>
> on 6/17/00 11:26 PM, Civileme wrote:
>
> >
> >> I've got a question here. What if any are the advantages of using two
> >> NIC's On the firewall we run here (FreeBSD) we are only using a single NIC
> >> for both directions. To the network and to the Net. (and we run video
> >> conferencing video so traffic is heavy) As I see it adding a second NIC
> >> only serves to add latency to the net access. Unless your traffic volume
> >> exceeds 10 or 100 mbs in any one direction (depending on your net speed)
> >> the card even in half duplex mode should be more than able to handle the
> >> traffic. I've asked this question before in other groups and no one could
> >> give me an answer that held water. Thanks hope this isn't off topic if it
> >> is please ignore and I apologize.
> >>
> >> James
> >
> > Well, I changed the topic to something appropriate.
> >
> > Let's say that you use One NIC and give it two addresses... If
> > it has only one address, I am sailing by any firewall you set up
> > on that box, BSD or not, because that means all your machines
> > have network addresses reachable from outside.
> >
> > If not--and you have two addresses on the card, one for local
> > under the "experimental" addresses which are reserved from use on
> > the internet, like
> >
> > 192.168.0.0 - 192.168.255.255
> > 176.16.0.0-176.31.255.255
> > 10.0.0.0-10.255.255.255
> >
> > and the other a real internet address. This means incoming
> > traffic from the internet is recognized and processed , then
> > retransmitted on the same NIC to the local station if not
> > filtered out. This is equivalent to having two NICs since you
> > have the latency. In fact this rig is sometimes called the "poor
> > man's router"..... I would hazard a guess that this is the
> > configuration of your firewall. It is more secure than attaching
> > the interface to the internet router through a hub and attaching
> > the locals onto the same hub.
> >
> > Now if your "firewall" is on a hub with the local stations and
> > the hub also connects to the internet router, then Mr. Aloysius
> > Blackhat out on the internet figures out your local subnet and
> > configures a similar subnet on his end--working a similar
> > "firewall/router" combo, and into your subnet he comes with an
> > EASY CRACK--he's just another one of the localhost folks.
> > Civileme
>
> So let's see if I've got this straight?
>
> I can do IP masq with one ethernet card in the linux box (as
> router/firewall)?
>
> cables:
> DSL modem into Hub A
> Linux Box into Hub A
> Mac Workstations into Hub A
>
> ip addresses:
> macs are set to 192.168.1.X
> DSL IP comes in as y.y.y.y
> linux box listens to y.y.y.y and 192.168.1.X
>
> this setup let's me be cheap and save my $19 but it opens my subnet wide to
> anyone who figures out the subnet address? (kind of like a VPN for crackers)
>
> I think I'll spend the $19.
>
> Gavin
I think that's a good choice. Aren't you glad you are a white
hat? Don't you wish everyone was?
Civileme
