Re: lighting---hacked!

From: Alan W. Frame (
Date: 05/29/02

From: (Alan W. Frame)
Date: Wed, 29 May 2002 14:30:23 +0100

Simon Matthews <nobody@devnull.none> wrote:

> On Thu, 23 May 2002, Alan W. Frame wrote:
> > Simon Matthews <nobody@devnull.none> wrote:
> >
> Alan,
> I guess I am starting with the fundamental concept that any machine that
> offers any services is much more likely to be cracked than a firewall.

Very true, and IIRC, it's rare for a linux-based non-service-offering
machine to have vulnerabilities.

> I figure that if I turn off all remote access to my firewall, then packets
> will pass through it, but there nothing running locally that can be used
> to compromise the box itself.

Again true, but you may want to consider a fail-safe scenario[0] - and
where the box and whether it warrants having a 'back-door' rather than
insisting on console access.

> Much of my thinking is also predicated on the assumption that one is
> running a private subnet (non-routable IP addresses) with masquerading and
> source routed packets are rejected everywhere.

For sure, but if you run *many* private subnets, then IMO you can get
more control over things - it's a question of balancing the control
against any (real or percieved) increase in risk.

> Do you really have application level proxies for all outgoing traffic?

In general yes - no IRC/IM/P2P stuff on my networks[1] - or even ftp -
SOAP is the next big worry for me.

rgds, Alan
[0] q.v. Tim's periodic reloading of iptables rules.
[1] 'tis amusing to see all the spyware calls home from the LAN bouncing
off the inside of the interior router...

99 Ducati 748BP, 95 Ducati 600SS, 81 Guzzi Monza, 74 MV Agusta 350
"Ride to Work, Work to Ride" SI# 7.067 DoD#1930 PGP Key 0xBDED56C5