I have a Slackware (9.1) box set up that only has one IP of
192.168.0.96. I have been under the impression that this is safe from
the outside world because it's not a routable address but someone I
know who I've always respected says that it's not safe. I still keep
pretty up to date with patches and whatnot but would be interested in
finding out who's right. If I am wrong I guess I'll have to start
paying a little more attention.
--
Thanks & regards, PM

PackMule wrote:
> I have a Slackware (9.1) box set up that only has one IP of
> 192.168.0.96. I have been under the impression that this is safe from
> the outside world because it's not a routable address but someone I
> know who I've always respected says that it's not safe. I still keep
> pretty up to date with patches and whatnot but would be interested in
> finding out who's right. If I am wrong I guess I'll have to start
> paying a little more attention.

what address you have on your computer doesn't matter. the question is: is
it in some way connected to the internet? if it is, then it is in principle
possible to break into it.

--
Joost Kremers joostkremers@yahoo.com
Selbst in die Unterwelt dringt durch Spalten Licht
EN:SiS(9)

On Fri, 14 May 2004 01:43:42 -0500, PackMule <packmule13@yahoo.com> wrote:
> I have a Slackware (9.1) box set up that only has one IP of
> 192.168.0.96. I have been under the impression that this is safe from
> the outside world because it's not a routable address but someone I
> know who I've always respected says that it's not safe. I still keep
> pretty up to date with patches and whatnot but would be interested in
> finding out who's right. If I am wrong I guess I'll have to start
> paying a little more attention.

Is your box connected to a network? Are you blocking all trafic on the
device connected to the network? Are there any user logins for users who you
can't trust?

Sebastian
--
http://www.hpfsc.de/ - die Seite rund um:
Assembler, Bundeswehr, TFT LCDs, Halle/Saale, Fahrradtouren, Neuseeland,
Wanderstaat Mauma, Raumschiff USS Nathan, Enemy Room, MLCAD Tutorial

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

PackMule <packmule13@yahoo.com> wrote:

> I have a Slackware (9.1) box set up that only has one IP of
> 192.168.0.96. I have been under the impression that this is safe from
> the outside world because it's not a routable address but someone I
> know who I've always respected says that it's not safe. I still keep
> pretty up to date with patches and whatnot but would be interested in
> finding out who's right. If I am wrong I guess I'll have to start
> paying a little more attention.

Quoting from http://www.dalantech.com/boards/showflat-Cat--Board-
networking-Number-30916-page-1-view-collapsed-sb-5-o--fpart-1.html:

Dalantech: "I often get asked "If I have NAT, then why do I need a
firewall?". I posed the same question too Da Fade and asked him if
he could give me a really good response -here is his reply:"

Da Fade: "Easy answer ... NAT isn't a firewall. Does it block ports
by default? No. Does it prevent Denial of Service? No. Most importantly,
does it perform connection state inspection? A big NO!

Example: Mr. Joe Unprotected goes browsing out on the net. He starts a
telnet session out of his NAT protected device. He ends his session.
Guess what? The mapping for his session is still on the unit. It hasn't
yet timed out.

Enter Joe Hacker. He starts to do some port scans on Mr. Unprotected and
runs into a port allowing him in. Joe thinks, "Hmmm, weak firewall." Joe
has some fun playing around on hosts for a while through 'holes' made by
the users behind the NAT device. Eventually Some of the ports begin to
timeout (the NAT mapping has reached the end of its life). This upsets the
hacker greatly. In response, he decides to kill Mr. Unprotected's bandwidth
with some Denial of Service attacks.

The attacks are highly successful. Mr. Unprotected loses hours of service,
and tons of money, because he wasn't smart enough to believe what everyone
was telling him .... NAT is no substitute for a Firewall.

What I'm saying is that even though Joe Hacker can't see the private IP
addressing on the inside, that doesn't mean he can't access the inside
network. NAT will happily reverse the mapping as traffic flows in from the
public network as long as it has a map already, even one that's temporary.
Some NAT devices have ungodly long timeout values.

Spending a little extra for REAL security will make the difference between
real protection, and a thin candy shell called NAT."

- --
George Georgakis geegATtripleg_net_au http://www.tripleg.net.au/
SlackBuild Central - http://slackpack.tripleg.net.au/

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBQKP5hklp3nJf7PixEQK7jQCeLnAT+fS44cejg6ft2Itnfk sh7a8An3OF
S8e+48YeWlpoLNKjVMQegPqj
=kFq2
-----END PGP SIGNATURE-----

In article <tkq8a0ha1oeg6qaj02i0rcqcnpuj7go51m@4ax.com>, PackMule wrote:
> I have a Slackware (9.1) box set up that only has one IP of
> 192.168.0.96. I have been under the impression that this is safe from
> the outside world because it's not a routable address but someone I
> know who I've always respected says that it's not safe. I still keep
Its a private Class C address. As long as your ISPs router(s)
are configured right then no one outside of your ISP would be able to
connect in. If you have cable broadband people on your segment would
still be able to get in. BUT.... most cable broadband providers give
you your own address they assign. look at the NET-HOWTO to see how to
set up routing. Its easier to show than explain how it all works. On
my 10base-2 in-house lan my main box is 192.168.10.1. outside of the
lan on the official static IP from SBC/Yahoo I am 69.37.217.198.
Because this box IS the router all of my machines behind it can't be
accessed directly.
You also should look at IPMasquarading as well as IPchains as
well.


--
From the Desk of the Sysop of:
Planet Maca's Opus, a Free open BBS system.
Telephone 860-738-7176 300-33.6kbps Telnet://pinkrose.net.dhis.org
The New Cnews maintainer
B'ichela

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

B'ichela <mdalene@pinkrose.net.dhis.org> wrote:

> Its a private Class C address. As long as your ISPs router(s)
> are configured right then no one outside of your ISP would be able to
> connect in.

Incorrect. Refer to my previous post.

- --
George Georgakis geegATtripleg_net_au http://www.tripleg.net.au/
SlackBuild Central - http://slackpack.tripleg.net.au/

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBQKQCnklp3nJf7PixEQJVQgCgwu0CX+pemrdoUO2xLTYk2w BwaYUAni/R
UcDaI36qIbiApmtZMLzFRWxw
=Y5d7
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In alt.os.linux.slackware, B'ichela dared to utter,
> Its a private Class C address. As long as your ISPs router(s)
> are configured right then no one outside of your ISP would be able to
> connect in.

Don't listen to this guy, he obviously doesn't know how ethernet works.
Just because an ISP filters spoofed packets doesn't mean a few won't
get through. It also doesn't mean that some one has to try to route to
192.168.0.x. They can simply talk to your NAT router's external IP,
probe around a bit, and see what comes back. From that, they can
potentially access your inside network.

> Because this box IS the router all of my machines behind it can't be
> accessed directly.

Perhaps, perhaps not. They can however, most certainly be accessed
indirectly.

> You also should look at IPMasquarading as well as IPchains as
> well.

Good God! Don't listen to this guy! IPchains is so 2.2.x.
Netfilter/IPtables is the current firewall implimentation for linux.

- --
It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFApL7mL3KiNGOqr6ERAvwfAJ9GNiyda29aStfBGYTC7V DPz2X1AgCglei1
pWh0UqqZuoch4x2r3GgT/bU=
=Po0E
-----END PGP SIGNATURE-----

NOTE: This message was sent thru a mail2news gateway.
No effort was made to verify the identity of the sender.
--------------------------------------------------------

pgp trash troll delete

George Georgakis <geeg@tripleg.go.away.spammers.net.au> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1

> PackMule <packmule13@yahoo.com> wrote:

> > I have a Slackware (9.1) box set up that only has one IP of
> > 192.168.0.96. I have been under the impression that this is safe from
> > the outside world because it's not a routable address but someone I
> > know who I've always respected says that it's not safe. I still keep
> > pretty up to date with patches and whatnot but would be interested in
> > finding out who's right. If I am wrong I guess I'll have to start
> > paying a little more attention.

> Quoting from http://www.dalantech.com/boards/showflat-Cat--Board-
> networking-Number-30916-page-1-view-collapsed-sb-5-o--fpart-1.html:

> Dalantech: "I often get asked "If I have NAT, then why do I need a
> firewall?". I posed the same question too Da Fade and asked him if
> he could give me a really good response -here is his reply:"

> Da Fade: "Easy answer ... NAT isn't a firewall. Does it block ports
> by default? No. Does it prevent Denial of Service? No. Most importantly,
> does it perform connection state inspection? A big NO!

> Example: Mr. Joe Unprotected goes browsing out on the net. He starts a
> telnet session out of his NAT protected device. He ends his session.
> Guess what? The mapping for his session is still on the unit. It hasn't
> yet timed out.

> Enter Joe Hacker. He starts to do some port scans on Mr. Unprotected and
> runs into a port allowing him in. Joe thinks, "Hmmm, weak firewall." Joe
> has some fun playing around on hosts for a while through 'holes' made by
> the users behind the NAT device. Eventually Some of the ports begin to
> timeout (the NAT mapping has reached the end of its life). This upsets the
> hacker greatly. In response, he decides to kill Mr. Unprotected's bandwidth
> with some Denial of Service attacks.

> The attacks are highly successful. Mr. Unprotected loses hours of service,
> and tons of money, because he wasn't smart enough to believe what everyone
> was telling him .... NAT is no substitute for a Firewall.

> What I'm saying is that even though Joe Hacker can't see the private IP
> addressing on the inside, that doesn't mean he can't access the inside
> network. NAT will happily reverse the mapping as traffic flows in from the
> public network as long as it has a map already, even one that's temporary.
> Some NAT devices have ungodly long timeout values.

> Spending a little extra for REAL security will make the difference between
> real protection, and a thin candy shell called NAT."

> - --
> George Georgakis geegATtripleg_net_au http://www.tripleg.net.au/
> SlackBuild Central - http://slackpack.tripleg.net.au/

> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

> iQA/AwUBQKP5hklp3nJf7PixEQK7jQCeLnAT+fS44cejg6ft2Itnfk sh7a8An3OF
> S8e+48YeWlpoLNKjVMQegPqj
> =kFq2
> -----END PGP SIGNATURE-----

NOTE: This message was sent thru a mail2news gateway.
No effort was made to verify the identity of the sender.
--------------------------------------------------------

pgp trash troll delete

George Georgakis <geeg@tripleg.go.away.spammers.net.au> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1

> B'ichela <mdalene@pinkrose.net.dhis.org> wrote:

> > Its a private Class C address. As long as your ISPs router(s)
> > are configured right then no one outside of your ISP would be able to
> > connect in.

> Incorrect. Refer to my previous post.

> - --
> George Georgakis geegATtripleg_net_au http://www.tripleg.net.au/
> SlackBuild Central - http://slackpack.tripleg.net.au/

> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

> iQA/AwUBQKQCnklp3nJf7PixEQJVQgCgwu0CX+pemrdoUO2xLTYk2w BwaYUAni/R
> UcDaI36qIbiApmtZMLzFRWxw
> =Y5d7
> -----END PGP SIGNATURE-----

NOTE: This message was sent thru a mail2news gateway.
No effort was made to verify the identity of the sender.
--------------------------------------------------------

pgp trash troll delete

Alan Hicks <alan@lizella.network> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1

> In alt.os.linux.slackware, B'ichela dared to utter,
> > Its a private Class C address. As long as your ISPs router(s)
> > are configured right then no one outside of your ISP would be able to
> > connect in.

> Don't listen to this guy, he obviously doesn't know how ethernet works.
> Just because an ISP filters spoofed packets doesn't mean a few won't
> get through. It also doesn't mean that some one has to try to route to
> 192.168.0.x. They can simply talk to your NAT router's external IP,
> probe around a bit, and see what comes back. From that, they can
> potentially access your inside network.

> > Because this box IS the router all of my machines behind it can't be
> > accessed directly.

> Perhaps, perhaps not. They can however, most certainly be accessed
> indirectly.

> > You also should look at IPMasquarading as well as IPchains as
> > well.

> Good God! Don't listen to this guy! IPchains is so 2.2.x.
> Netfilter/IPtables is the current firewall implimentation for linux.

> - --
> It is better to hear the rebuke of the wise,
> Than for a man to hear the song of fools.
> Ecclesiastes 7:5
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)

> iD8DBQFApL7mL3KiNGOqr6ERAvwfAJ9GNiyda29aStfBGYTC7V DPz2X1AgCglei1
> pWh0UqqZuoch4x2r3GgT/bU=
> =Po0E
> -----END PGP SIGNATURE-----