[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    Re: Implications of a permissive FORWARD chain
From:       Mark Fox <mark.fox () gmail ! com>
Date:       2014-02-19 2:34:22
Message-ID: loom.20140219T022735-831 () post ! gmane ! org
[Download RAW message or body]

Neal Murphy <neal.p.murphy <at> alum.wpi.edu> writes:

> Perhaps this will help.
> 
> [...]

It does. Especially this:

>  This allows
>  almost anyone, almost anywhere, to determine which services are available
>  on which systems, and to attack them (SQL attacks on RDBMS servers, SQL
>  injection attacks on web servers, &cet.) or to allow malware (viruses,
>  trojans, &cet.) to propagate through your private internetwork of LANs.

What I think I may have not made clear is that I'm not dealing with LANs
here. It's a single LAN, with everything thrown onto it. That's what threw
me for a loop. It's not fire-walling between networks. It's fire-walling to
and from the same network.

Perhaps I've made the mistake of spending most of my time thinking about
protecting hosts on one network from hosts on different networks, but not
much time thinking about hosts on the same network.

In any case, it seems pretty obvious that, given the all-eggs-in-one-basket
state of the network, really tight fire-walling is in order.

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[prev in list] [next in list] [prev in thread] [next in thread]