firewall + masq - otazocky

Čtvrtek Květen 27 22:13:24 CEST 1999

On Thu, 27 May 1999, Petr Novotny wrote:

> > Nasledujuce dve pasaze su z IP-Masquerading.
> >   Breaking the security of a well set-up masquerading system
> >   should be considerably more difficult than breaking a good packet
> >   filter based firewall (assuming there are no bugs in either).
> 
> Protoze u packet filteru "staci" ten filter presvedcit, ze ma vas
> packet forwardnout, zatimto maskaradu je treba presvedcit, ze ho
> ma poslat na jinou adresu (puvodni cilova adresa je vnejsi IP
> routeru, kyzena je (privatni) IP na vnitrni siti).

Pricemz maskarada to ten preklad adres a poslani dal taky ochotne udela,
ovsem pouze v okamziku, kdy je otevren prislusny komunikacni kanal (viz
/proc/net/ip_masquerade, ve 2.2 se to mozna jmenuje jinak).

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"NSA GCHQ KGB CIA nuclear conspiration war weapon spy agent... Hi Echelon!"