[Gllug] Old small laptop firewall option? Or just send it to the recycling centre?

Pete Ryland pdr at pdr.cx
Tue Oct 31 00:32:28 UTC 2006


On 30/10/06, Neil de Carteret <n3dst4 at gmail.com> wrote:
>
> On 30/10/06, Christian Smith <csmith at thewrongchristian.org.uk> wrote:
> > But if you trust all the devices on your switch, you should be OK.
> Nothing
> > from the internet can talk to devices on your private network so long as
> > you trust your modem/router.
>
> You're right. I didn't get from the original post that this was to
> shield an internal network. I was just seeing two networks, firewalled
> from each other.
>
> Apologies to Pete if I sounded snarky.
>

:-) No problem, it's indeed a valid point in this scenario too.  As has been
said, you do indeed need to keep in mind that you can't stop a host attached
to your network from taking on an externally-visible IP, making any
unprotected devices on your network vulnerable.  On the flip side, if you
have a nice ISP that gives you multiple real IPs, you can run services on
any host by providing it with a second IP, all without touching the
firewall[1].  Just make sure you lock down any such machine's external IP!
Basically, there are pitfalls, but at the end of the day you don't *need*
the second network card.

Mike's VLAN solution works too, and will completely separate the two
networks, but probably a tad over budget for a home solution.  Phil's
solution is secure too, and flexible.  For a single external IP, NAT-based
solution (basically 99% of people) it's ideal.

Oh, another pitfall to my suggestion: having a dhcp client on any of your
hosts may cause trouble, especially if your adsl router wants to do dhcp
pass-through (thinking it's doing you a favour by letting you have the same
IP as it on the internet side).

Pete

[1] Yeah, writing this made me shudder a little too.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20061031/74c160c6/attachment.html>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list