Re: DSL setup questions... again.
From: Juha Laiho (Juha.Laiho_at_iki.fi)
Date: 02/01/04
- Next message: 2trax: "Re: X over WiFi G"
- Previous message: Francis Walsh: "Manual for Camera"
- In reply to: William D. Tallman: "DSL setup questions... again."
- Next in thread: William D. Tallman: "Re: DSL setup questions... again."
- Reply: William D. Tallman: "Re: DSL setup questions... again."
- Reply: Allodoxaphobia: "Re: DSL setup questions... again."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 01 Feb 2004 11:32:02 GMT
"William D. Tallman" <wtallman@olypen.com> said:
>I've got ADSL from my ISP via Qwest to an Actiontec 1524 DSL modem. It is
>connected to an ethernet switch, to which a Linux box and a M$ PC are also
>connected. The Actiontec is the "gateway" with a permanent address on the
>LAN side. It connects to the ISP using PPPoA and DHCP. Or so says the
>Actiontec's web page.
Ok.
>It appears that as long as everything is up and running, the Actiontec sees
>the ethernet switch as an active component, even when both computers are
>powered down.
Correct.
>At least it shows a regular blip on it's ethernet interface, suggesting
>that there is activity, and the interface light remains on at all
>times. When both computers were connected directly to the Actiontec,
>the interface lights went out when the computers powered down.
I'm not sure why there should be activity with the computers powered down.
But at ethernet level the link really is up as long as the switch is
powered up.
>Questions:
>
>1) It would seem that neither computer has to worry about DHCP, as that
>is settled between the DSL modem and the ISP. Effectively, then, the
>computers are left with a permanent Internet address. Is this correct?
Yes..no. The computers effectively don't have Internet addresses at all;
they only have _intranet_ addresses. Your modem apparently has an Internet
address it obtained by DHCP from your ISP.
But correct in that sense, that with that kind of set-up you can keep
consistent, non-changing addresses on your LAN.
>2) If so, then it would seem that as far as the computers are concerned,
>they both access a fixed internet address, and that address is the LAN
>address of the modem and not the assigned address on the ISP side. Is that
>correct?
Both computers access the Internet through a gateway having a fixed
address. Still, the "LAN address of the modem" apparently is not an Internet
address. Sorry to be anal over these, but trying to keep these straight
tends to at some point clarify things.
>3) I've made a practice of having a terminal running tcpdump whenever
>the box is up, and have seen no intrusive activity at all. In fact,
>except for explicit activity with the time server, the mail server, the
>news server, and whatever http server I'm doing business with, there is
>no more activity now than when the DSL modem was not connected to the
>LAN. Given that the modem is actually a NAT enabled bridge, does that
>suggest that it is doing everything that needs to be done? I'm aware
>that this is commonly thought not to be the case....
I'd say that can't NAT on a bridge. Sounds like a NATting router.
At network level everything now depends on the configuration of the modem:
have you assigned any ports to be forwarded to any of the LAN machines
for incoming traffic? So, f.ex. if someone connects to port 25 ("smtp",
common port for providing mail server service) of your modem from the
Internet, does the modem just drop/reject the traffic, or have you
configured it to forward those requests to one of your internal machines?
Basically, I'd expect that all traffic you see in your LAN is packets
originated by your machine, and response packets to these.
One thing you need to find out, though: is the configuration www service
that your modem provides available also to the Internet? If so, have you
set up a good enough password (or rather, find out whether there is any
way to restrict the configuration access to LAN only).
>4) The PC is running Zone Alarm, just as it did when it was a dial-up,
>with ZA now seeing the Internet via a gateway on the LAN rather than
>via a dial-up account. Apparently there is no change in the extent
>of protection offered. Or maybe we've just been lucky? I'm running
>Shorewall on the Linux box, configured the same way, and have yet to
>see any untoward activity. Not sure how well it's configured, but
>apparently it works. Again, have we just been lucky?
With just a dial-up, your PC apparently has been ompletely visible to
the Internet - whereas now what is seen externally is just the router,
and any outbound traffic generated by your machines. I consider the
difference in levels of protection a big one.
So, what is your current risk is that you end up requesting (directly or
indirectly) some traffic that is malicious and effective against your
applications (so, spyware on WWW; mail-based virii and so on).
What you need against these is:
- keeping your systems updated
- disabling unnecessary services
- on PC, running an antivirus software
What still might help in case of compromise:
- filtering outbound traffic (so limiting what can go out, to prevent
your machines from infecting others (for PC, ZA should be good tool
for this; for Linux, netfilter (iptables) can be effectively used -
however, you need to know what outbound traffic is needed for your
own use
>5) The point of all this is that I'm generating a real firewall for my box,
>with every issue addressed. I'm using Bob Ziegler's "Linux Firewalls" as
>the prototype. I gather that he and his work are generally well regarded.
>Is that the case in this venue as well?
>
>6) And finally, if any of the resident experts are familiar with Ziegler's
>book, I would appreciate the chance to post specific questions; and
>probably enough of them to bore everyone stiff....LOL!!!! Is anyone
>familiar with this stuff and willing to mentor me a bit, please?
Unfortunately I don't have experience with Zieglers books, so can't comment
on them.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)
- Next message: 2trax: "Re: X over WiFi G"
- Previous message: Francis Walsh: "Manual for Camera"
- In reply to: William D. Tallman: "DSL setup questions... again."
- Next in thread: William D. Tallman: "Re: DSL setup questions... again."
- Reply: William D. Tallman: "Re: DSL setup questions... again."
- Reply: Allodoxaphobia: "Re: DSL setup questions... again."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
