It works, but now....

DSL: ISP -> Qwest/Actiontec 1524 -> eth0. It works.

Today I reset everything so that the Actiontec is connected to the ethernet
switch, and the two machines also connected thereto. Physically, it's a
LAN connected to a DSL router-modem, which means that the router is the
only internet firewall for the LAN, leaving the machines to protect
themselves. DSL still works, but now I wish to reconfigure the LAN itself
to function thus.

So now we have: Actiontec="192.168.0.1", Linux box="192.168.0.10",
Windows box without an address at the moment. The latter should be set to
"192.168.0.20", I would think.

Questions:

I understand that the router will ignore traffic not intended for it, ie LAN
traffic. Is that true?

At the moment, my computer name is again 'localhost'. I should be able to
reset the computer name once again without having a problem with the
Actiontec. Is that true?

I should be able to set up Samba once again without any trouble. Is that
true?

I understand that the accepted wisdom is to run separate NICs with a DMZ
between them. But this router should protect me from the internet in any
case, what with the ISP providing DHCP. Is that true, and if not, how not?

I do understand that I should be able to discover all this for myself by
RTFM and google, etc., but I'd rather have some confirmation from others
who have experience; I still don't trust my ability to understand things
correctly.

Thanks all,

Bill Tallman
--
Registered Linux User: #221586
Mdk-9.0 and IceWM
Gkrellm still watches over me...

William D. Tallman wrote:

> DSL: ISP -> Qwest/Actiontec 1524 -> eth0. It works.
>
> Today I reset everything so that the Actiontec is connected to the
> ethernet
> switch, and the two machines also connected thereto. Physically, it's a
> LAN connected to a DSL router-modem, which means that the router is the
> only internet firewall for the LAN, leaving the machines to protect
> themselves. DSL still works, but now I wish to reconfigure the LAN itself
> to function thus.
>
> So now we have: Actiontec="192.168.0.1", Linux box="192.168.0.10",
> Windows box without an address at the moment. The latter should be set to
> "192.168.0.20", I would think.

There are a few specific address locations that are reserved but the address
that you mention above is a valid address.

>
> Questions:
>
> I understand that the router will ignore traffic not intended for it, ie
> LAN
> traffic. Is that true?

That is what I understand also. But what happens if someone has looked at
the operating system on that device and figured a way to get into the router
and then out through the switch to the LAN? Now you are open to attack from
your own router.

I would suggest setting up firewalls on your own personal computers as the
lowest cost solution.

A better solution would be to find an older computer that can take two
NIC's. Put one of the NIC's directly to the Router that you have there
and then put the other NIC to a small workgroup switch. There are a number
of firewall distributions that you can use to make this work. I use a
distribution called smoothwall from www.smoothwall.org that I really like.
It works quite well and has quite a few capabilities that you might like
to have. The older computer doesn't even have to be fast or have a lot of
memory and hard drive capacity.

>
> At the moment, my computer name is again 'localhost'. I should be able to
> reset the computer name once again without having a problem with the
> Actiontec. Is that true?

I don't think the Actiontec cares about names. It is more interested in
MAC address's.

>
> I should be able to set up Samba once again without any trouble. Is that
> true?

Yeah it should work just fine.

>
> I understand that the accepted wisdom is to run separate NICs with a DMZ
> between them. But this router should protect me from the internet in any
> case, what with the ISP providing DHCP. Is that true, and if not, how
> not?
>
> I do understand that I should be able to discover all this for myself by
> RTFM and google, etc., but I'd rather have some confirmation from others
> who have experience; I still don't trust my ability to understand things
> correctly.
>
> Thanks all,
>
> Bill Tallman

On 2003-12-31, William D. Tallman <(E-Mail Removed)> wrote:

> DSL: ISP -> Qwest/Actiontec 1524 -> eth0. It works.
>
> Today I reset everything so that the Actiontec is connected to
> the ethernet switch, and the two machines also connected
> thereto. Physically, it's a LAN connected to a DSL
> router-modem, which means that the router is the only internet
> firewall for the LAN, leaving the machines to protect
> themselves.

Huh? How do the machines have to protect themselves? Anything
from the outside world has to go through the firewall (the
1524).

> DSL still works, but now I wish to reconfigure
> the LAN itself to function thus.
>
> So now we have: Actiontec="192.168.0.1", Linux box="192.168.0.10",
> Windows box without an address at the moment. The latter should be set to
> "192.168.0.20", I would think.

That should work.

> Questions:
>
> I understand that the router will ignore traffic not intended
> for it, ie LAN traffic. Is that true?

Yes. Unless the engineers at Actiontec have their heads
seriosly up their butts.

> At the moment, my computer name is again 'localhost'. I
> should be able to reset the computer name once again without
> having a problem with the Actiontec. Is that true?

Yes: the actiontec neither knows nor cares about your host
names.

> I should be able to set up Samba once again without any
> trouble. Is that true?

I don't know why not.

> I understand that the accepted wisdom is to run separate NICs
> with a DMZ between them.

Only if you need a DMZ. I don't see why you would.

> But this router should protect me from the internet in any
> case,

Yes.

> what with the ISP providing DHCP.

Eh?

--
Grant Edwards grante Yow! .. someone in DAYTON,
at Ohio is selling USED
visi.com CARPETS to a SERBO-CROATIAN

William D. Tallman <(E-Mail Removed)> wrote:
> DSL: ISP -> Qwest/Actiontec 1524 -> eth0. It works.

Hi Bill! (rubs hands ...)

> Today I reset everything so that the Actiontec is connected to the ethernet
> switch, and the two machines also connected thereto.

That will make no difference at all. The switch is transparant.
Provided you remembered to pass the cable into the correct hole! You'll
want the "uplink" hole if the actiontec is expecting to feed a switch.
If the actiontec is expecting to feed a NIC, then you'll want one of the
ordinary holes.

There often is a switch for port 1 or 8 that switches it round. Or you
can flip the cable on the uplink between a crossover cable and a normal
cable.

> Physically, it's a
> LAN connected to a DSL router-modem, which means that the router is the
> only internet firewall for the LAN, leaving the machines to protect
> themselves. DSL still works, but now I wish to reconfigure the LAN itself
> to function thus.

> So now we have: Actiontec="192.168.0.1", Linux box="192.168.0.10",
> Windows box without an address at the moment. The latter should be set to
> "192.168.0.20", I would think.

Isn't "666" a valid address? What is that in base 256 ... umm, 2.154 .


> I understand that the router will ignore traffic not intended for it, ie LAN
> traffic. Is that true?

The router will only get stuff passed to it that bears the address of
the router's LANside interface, i.e. "0.1". The switch would have to
reason to send packets to its (uplink) port otherwise. So you must set
the router as gateway to the internet on each of your LAN machines, in
order that packets for the outside world bear the necessary devils
imprint on their foreheads.

LAN traffic may have the router named as gateway, but it will be
unusual. I am not sure what would happen in that case. It depends on
the switch if it is smart enough to notice that the packet should
really go to another of its ports eventually, and on the router ...
mmph, I think the router should send it right back out on to the lan
port, and the switch send the packet to and from the router. So it's
just a silly idea.

> At the moment, my computer name is again 'localhost'. I should be able to
> reset the computer name once again without having a problem with the
> Actiontec. Is that true?

Yes. It doesn't care about names. It works at a much lower level.

> I should be able to set up Samba once again without any trouble. Is that
> true?

Samba should not need setting up again, if it is confined to the LAN.
And not even if not.

> I understand that the accepted wisdom is to run separate NICs with a DMZ
> between them. But this router should protect me from the internet in any
> case, what with the ISP providing DHCP. Is that true, and if not, how not?

It's not true. The router simply passes packets from one network to
another. There is no implicit "protection" in that.

You get some protection by not having a static address, but anyone can
see where your packets are sourced from and send packets to you. They
just have to route them through the internet side of your router to
reach you.

It's likely that the router has a firewall built into it, that you can
configure. But you know how silly I think firewalls are! In this case
however, it has the advantage that it is properly sited! While a
firewall on your own machine is really silly, a firewall on a router is
at least vaguely sensible, because it concentrates admin for the whole
intranet at one point, and stops stuff before it gets on your lan in
the first place! The router is also not providing any services itself,
so its not silly to firewall them! And you are saving yourself the
hassle of finding what services are running on each of your machines
and turning them on or off by using a point firewall on a router
instead.

However, it's also likely that your router will be doing NAT - in fact
it must be given your LAN addresses. That makes things complicated.
Essentially your machines on the LAN are *not contactable at all*
from outside under those circumstances. NAT is a "dynamic forwarding
firewall". It's triggered by packets from your side going out. They
configure the firewall to pretend to be you to the outside world, but
secretly pass returns back to you. It invents a port number to
represent you as you. It alone knows what the number is, so nobody
can "aim" packets at you. Well, they might guess if they examined the
packet stream, but they can't do it from cold.

So yes, you get some "protection", but by way of obscurity.


Peter

Allan Butler wrote:

<snip>
>> Questions:
>>
>> I understand that the router will ignore traffic not intended for it, ie
>> LAN
>> traffic. Is that true?
>
> That is what I understand also. But what happens if someone has looked at
> the operating system on that device and figured a way to get into the
> router
> and then out through the switch to the LAN? Now you are open to attack
> from your own router.

And that's not as far-fetched as it might sound, what with a bunch of them
deployed and more coming, at least in this area. Consider, though, what
sort of attack would that be? I'd expect it to be M$ oriented, and thus of
questionable relevance to the *nix systems.

> I would suggest setting up firewalls on your own personal computers as the
> lowest cost solution.

They're already in place, awaiting reconfiguring for the gateway.

> A better solution would be to find an older computer that can take two
> NIC's. Put one of the NIC's directly to the Router that you have there
> and then put the other NIC to a small workgroup switch. There are a
> number
> of firewall distributions that you can use to make this work. I use a
> distribution called smoothwall from www.smoothwall.org that I really like.
> It works quite well and has quite a few capabilities that you might like
> to have. The older computer doesn't even have to be fast or have a lot of
> memory and hard drive capacity.

Have the machine and everything. Dunno whether it's worth doing, though.
That would be a DMZ firewall, I presume. However, I'm not offering any
kind of services whatever to the outside, which means a default drop policy
except for LAN machine addresses ought to serve. Or so I would think; I'm
just learning about these matters.

If the ISP is providing DHCP that resets the outer address each time an
authorization takes place, and the router serves its purpose, what sort of
other capabilities might be valuable?

Thanks for the response!

Bill Tallman
--
Registered Linux User: #221586
Mdk-9.0 and IceWM
Gkrellm still watches over me...

Grant Edwards wrote:

> On 2003-12-31, William D. Tallman <(E-Mail Removed)> wrote:
>
>> DSL: ISP -> Qwest/Actiontec 1524 -> eth0. It works.
>>
>> Today I reset everything so that the Actiontec is connected to
>> the ethernet switch, and the two machines also connected
>> thereto. Physically, it's a LAN connected to a DSL
>> router-modem, which means that the router is the only internet
>> firewall for the LAN, leaving the machines to protect
>> themselves.
>
> Huh? How do the machines have to protect themselves? Anything
> from the outside world has to go through the firewall (the
> 1524).

Dunno. Everything on the LAN is trusted (within line of sight..<grin>), but
both machines had firewalls on dial-up, and I presume that reconfiguring
them for the LAN gateway would not be a bad idea.

<snip>
>> Questions:
>>
>> I understand that the router will ignore traffic not intended
>> for it, ie LAN traffic. Is that true?
>
> Yes. Unless the engineers at Actiontec have their heads
> seriosly up their butts.

I would guess that's not the case, as Qwest would probably not accept them
otherwise. Actiontecs have their own problems, so they say; the Cisco 678
is well recommended even by Qwest's own techs, but I've agreed to try this
one first.

<snip>
>> what with the ISP providing DHCP.
>
> Eh?

LOL!!! I'm discovering that all the data about PPPoATM and DCHP may well
only be relevant to Windows machines. It appears that all that is taken
care of by the Actiontec, and that it's pure TCP/IP on this side of the
box. At least that's what I see with tcpdump.

Thanks for replying!

Bill Tallman
--
Registered Linux User: #221586
Mdk-9.0 and IceWM
Gkrellm still watches over me...

On Wed, 31 Dec 2003 16:05:34 +0000, William D. Tallman wrote:

> Grant Edwards wrote:
>
>> On 2003-12-31, William D. Tallman <(E-Mail Removed)> wrote:
>>
>>> DSL: ISP -> Qwest/Actiontec 1524 -> eth0. It works.
>>>
>>> Today I reset everything so that the Actiontec is connected to
>>> the ethernet switch, and the two machines also connected
>>> thereto. Physically, it's a LAN connected to a DSL
>>> router-modem, which means that the router is the only internet
>>> firewall for the LAN, leaving the machines to protect
>>> themselves.
>>
>> Huh? How do the machines have to protect themselves? Anything
>> from the outside world has to go through the firewall (the
>> 1524).
>
> Dunno. Everything on the LAN is trusted (within line of sight..<grin>), but
> both machines had firewalls on dial-up, and I presume that reconfiguring
> them for the LAN gateway would not be a bad idea.
>
> <snip>
>>> Questions:
>>>
>>> I understand that the router will ignore traffic not intended
>>> for it, ie LAN traffic. Is that true?
>>
>> Yes. Unless the engineers at Actiontec have their heads
>> seriosly up their butts.
>
> I would guess that's not the case, as Qwest would probably not accept them
> otherwise. Actiontecs have their own problems, so they say; the Cisco 678
> is well recommended even by Qwest's own techs, but I've agreed to try this
> one first.
>
> <snip>
>>> what with the ISP providing DHCP.
>>
>> Eh?
>
> LOL!!! I'm discovering that all the data about PPPoATM and DCHP may well
> only be relevant to Windows machines. It appears that all that is taken
> care of by the Actiontec, and that it's pure TCP/IP on this side of the
> box. At least that's what I see with tcpdump.
>
> Thanks for replying!
>
> Bill Tallman

As I understand it, it is basicly a function of whether you're working
with an ethernet connection to the modem or not. If it's internal, then
you have to do the ppp stuff - if you have an ethernet connection, then
basicly you connect your lan to the modem. Please correct if that is not
accurate.

In article <(E-Mail Removed)>, ray wrote:

>>>> DSL: ISP -> Qwest/Actiontec 1524 -> eth0. It works.
>>>>
>>>> Today I reset everything so that the Actiontec is connected to
>>>> the ethernet switch, and the two machines also connected
>>>> thereto. Physically, it's a LAN connected to a DSL
>>>> router-modem, which means that the router is the only internet
>>>> firewall for the LAN, leaving the machines to protect
>>>> themselves.

>> LOL!!! I'm discovering that all the data about PPPoATM and
>> DCHP may well only be relevant to Windows machines.

It's relevent to dumb, internal DSL modems that don't have
built in NAT firewalling.

>> It appears that all that is taken care of by the Actiontec,
>> and that it's pure TCP/IP on this side of the box. At least
>> that's what I see with tcpdump.

That's certainly how the previous generations of QWest DSL
boxen (Cisco 67x) worked. Based on my reading of the Actiontec
docs, they work pretty much the same.

> As I understand it, it is basicly a function of whether you're
> working with an ethernet connection to the modem or not. If
> it's internal, then you have to do the ppp stuff - if you have
> an ethernet connection, then basicly you connect your lan to
> the modem. Please correct if that is not accurate.

Everything I wrote assumed it was an external DSL
modem/NAT-firewall box with an Ethernet connection to the
"inside" network. That's how I understod stood the deeply
quoted paragraph at the top of this posting. Like Ray says, if
that's not what's going on, we'll have to start over...

IMO, nobody in their right mind would use an internal DSL modem
if they had any way at all they could use an external one that
handles the PPPoATM and NAT stuff. It may cost a tiny bit
extra, but it's well worth it to have a dedicated firewall.

I certainly have no complaints about my Cisco 675.

--
Grant Edwards grante Yow! I left my WALLET in
at the BATHROOM!!
visi.com

Jeroen Geilman <(E-Mail Removed)> wrote:
> P.T. Breuer wrote:

> > However, it's also likely that your router will be doing NAT
> It is a certainty.

I agree.


> > - in fact it must be given your LAN addresses.

See?

> Among other things.


No - not at all. I have an adsl router and a static externally routable
IP on my own gateway computer on the LAN side of the router. That
matches the pphysical description given, but not the network
architecture.


> > That makes things complicated.

> How so ?


For the explanation, at least. It also makes things complicated because
the router does not simply pass packets from one side to the other but
also alters them.


> > Essentially your machines on the LAN are *not contactable at all*
> > from outside under those circumstances.
> Bah.


Bah? Bah? Is that some new kind of fashionable word? What does it mean?
"I am a slobbleguzzwit", perhaps?


> > NAT is a "dynamic forwarding firewall".

> NAT means Network Address Translation.


I know what it means, thank you. That's a "dynamically configured
forwarding firewall". You try and set up the forwarding rules
statically!

Is there something you feel you have contributed that the dict of comp
does not?


> > It's triggered by packets from your side going out. They
> > configure the firewall to pretend to be you to the outside world, but
> > secretly
> Secretly ?


Secretly.


> Must be a new definition of the word.


No, it's an old one. It means "not openly; inwardly", if you care the
consult the same dictionary that you used to look what NAT stands
for up in.


> I'd choose "transparently" myself.


I'd choose "opaquely". Do you know its choices? Then what is transparant
about them?


> > pass returns back to you. It invents a port number to
> > represent you as you.
> Also bah.


What does "bah" mean? "basically agree here"?


> > It alone knows what the number is, so nobody
> > can "aim" packets at you. Well, they might guess if they examined the
> > packet stream,

> No they can't.


They can. They can see as well as anyone what the source port on the
incoming packets aimed at the telnet port are. They may not know what
internal IP they are translated to, but they know that port is
translated to something.


> > but they can't do it from cold.
> >
> > So yes, you get some "protection", but by way of obscurity.

> Please do not bandy terms like "protection by obscurity" about when you
> have no idea what they mean.


Then I'll feel free to "bandy them about", thanks.


> The bulk of this is so hilariously wrong I doubt I should have responded
> at all.


Next time just crawl under a bridge and drink the rest of that bottle
of medical rub. Thank you.


Peter

P.T. Breuer wrote:

> However, it's also likely that your router will be doing NAT

It is a certainty.

> - in fact it must be given your LAN addresses.

Among other things.

> That makes things complicated.

How so ?

> Essentially your machines on the LAN are *not contactable at all*
> from outside under those circumstances.

Bah.

> NAT is a "dynamic forwarding firewall".

NAT means Network Address Translation.

> It's triggered by packets from your side going out. They
> configure the firewall to pretend to be you to the outside world, but
> secretly

Secretly ?
Must be a new definition of the word.
I'd choose "transparently" myself.

> pass returns back to you. It invents a port number to
> represent you as you.

Also bah.

> It alone knows what the number is, so nobody
> can "aim" packets at you. Well, they might guess if they examined the
> packet stream,

No they can't.

> but they can't do it from cold.
>
> So yes, you get some "protection", but by way of obscurity.

Please do not bandy terms like "protection by obscurity" about when you
have no idea what they mean.

The bulk of this is so hilariously wrong I doubt I should have responded
at all.