Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: multiple ip addresses on a sinle NIC

From: "M. Dodge Mumford" <dmumford () nfr net>
Date: Tue, 21 Jul 1998 20:48:16 -0400 (EDT)
I did this with a linux box doing IP masquerading until I got a second
NIC. 

Certainly one of the main concerns is that, since it's one NIC, your
internal hosts are on the same segment as your external hosts. Here's the
way my config looked at the phyisical level:


----/   ----------
   /----| router |
        ----------
             |
          -------------------------------
             |               |         |
          ------------   ---------   ---------
          | linux gw |   | box 1 |   | box 2 |
          ------------   ---------   ---------

But topologically, it looked like this:

----/   ----------
   /----| router |
        ----------
             |
          --------      legal 29 bit network
              |
         ------------
         | linux gw |
         ------------
              |
         ------------------     10.0.0.0/24
            |            |
         ---------   ---------
         | box 1 |   | box 2 |
         ---------   ---------

Because I used a reserved network address, the inside hosts can't be
addressed directly (without using source routing). The problem is if the
router or the firewall becomes compromised. You've got that much less
protection from the bad guy. 



On Mon, 20 Jul 1998, Tally Jones wrote:


what are the implications of binding more than one IP addresse
on the same NIC card.( unlike having a multihomed gateway or
bastion host). each interface of NIC could be binded to more 
than one IP address....but why ?[ this is often done by ISPs
whom i cantacted lately and they said that this way they could
host more web servers on the same machine, instead of having a 
different host. each ip addrress mappeed points to a different 
directory ]

but what about the setting of the rules about Network access 
and Network address translation etc. how would they respond to
such a scenario. please email me a ccof your responses as i am
working on such a scenario and how it would compromixe security.

thanks in advance
tally jones




_________________________________________________________
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com




-----
Dodge   dodge () nfr net        PGP key available upon request
Previous By Date Next
Previous By Thread Next

Current thread: