[Gllug] DNS security problem and broadband modems
Juergen Schinker
ba1020 at homie.homelinux.net
Wed Jul 30 09:45:27 UTC 2008
Alain Williams wrote:
> On Mon, Jul 28, 2008 at 10:24:24PM +0100, ba1020 wrote:
>
>> Tethys wrote:
>>
>>>
>>> Option 3) Do it yourself (in other words, get a better NAT
>>> provider). My ADSL router acts purely as a router -- simply
>>> passing packets from network A to network B and vice versa.
>>> It does no NAT/PAT and no packet filtering. Traffic goes
>>> straight through into my firewall (a separate box) which is
>>> entirely under my control. From there I fan out to the rest
>>> of the network. It's a setup I'd recommend to anyone. No
>>> messing about with cryptic and underpowered vendor configs.
>>> It's all just plain old network config on a Unix box.
>>>
>>> Tet
>>>
>>>
>> hm how is your router configured;routing internet to an internal private
>> network
>>
>> and what is the ip-adr of your router internal interface
>>
>> and how do you nat on your unix-box (iptables)?
>>
>> It's not so easy to disable nating on the router and keep everything
>> working!
>>
>
> That is the problem.
>
> Some modems do have a mode where they present the external IP traffic directly to
> one internal machine. However: since my BB modem also does my wifi (in a DMZ between
> the Internet and my internal network) this will not work. What is really wanted is
> ''don't NAT outgoing connections to UDP port 53'' - but that won't happen.
>
> I suppose that if NATting devices tried to preserve the local port number (ie only change
> if it is already ''in use'') then this would go a long way to solving my problem. It would
> not be hard for NATting devices to do - most just don't seem to work that way.
>
>
so what is your solution to disable nat on the router ?
Juergen
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list