Re: Is source address selection based on rules (netfilter) possible ?



David Brown a écrit :
On 30/08/2010 10:58, Pascal Hambourg wrote:

I still see a problem in this situation : the security relies on proper
routing setup of third parties, usually the ISP's routers. However I
admit that the chances the ISP's routers are misconfigured or
compromised are quite tiny. But in some ISP topologies, multiple
customers share the same link layer thus can communicate directy with
one another without involving any ISP router. Such topology has at least
existed in some cable ISPs.

Yes, I can see that could be a problem - a malicious "neighbour" on the
same link layer could send packets through your NAT router by directly
addressing the internal addresses.

Correct. This could also happen in another situation : a hosted
dedicated server running virtual machines with private addresses and
acting as a NAT router for them. Other (possibly compromised) dedicated
servers in the same subnet could send packets if the hosting service's
switches don't perform layer 3 filtering.
.



Relevant Pages

  • Re: A Sorry Tale
    ... result I now have a perfectly good ASDL router that will only work on a 10. ... certain Well-Known Trick to make sure it's not actually the ISP. ... system which *does not support DTMF*, so I can't get through the ISP's ... I notice the connection is now back up. ...
    (alt.sysadmin.recovery)
  • Re: Advice needed - running Exchange
    ... the router to your nic ... You'll need to have your ISP create two additional DNS records for your ... delivery is set to the Exchange mailbox, ... I currently only have one NIC in my SBS server ...
    (microsoft.public.windows.server.sbs)
  • Re: Connecting a user to AOL (anything I should know?!)
    ... presume broadband) ISP ... They have sent her a router. ... it could be the cable connecting your computer to your router (cable ... If ipconfig displays nothing more than "Windows IP configuration" i.e. ...
    (uk.comp.homebuilt)
  • Re: Network Upgrade
    ... MPLS over IPsec could have??? ... model) then simply has an ethernet connection to the ISP router. ... limited to dynamic routing protocols and fragmentation. ...
    (Security-Basics)
  • Re: NDR delivery delayed errors keep coming, any advice?
    ... If so, you might try the 'black hole router' test, as IP fragmentation can prevent successful SMTP conversations. ... Do the ping tests, but don't follow the resolution steps just yet - typically with xDSL, and where you have a PPPoE aware router, you change the MTU settings on the router. ... If the shoe fits (xDSL connection, and router with PPPoE login) you might have a look see what the MTU setting is on the router. ... The ISP will deliver when it gets around ...
    (microsoft.public.windows.server.sbs)