Iptables question about peer-to-peer rules
Pedro Fernandes Macedo
webmaster at margo.bijoux.nom.br
Mon Apr 4 23:47:42 UTC 2005
Mark Nixon wrote:
>Ahh. I've just talked to my son, and he mentioned something about my
>ADSL router also being a DHC source, which means (I think) that every
>time I change my LAN config just a little, I'll get assigned a new
>"10.0.*" number, so what you and Pedro write is starting to make sense.
>
>
>
>If a take a machine off and add a machine, change an ethernet card, or
>whatever, my router could assign a 10.0.0.* number that would keep
>increasing, right?
>
>
Not 100% right... The DHCP server has the concept of lease time... So if
you turn off one machine and start the one right after , then you would
probably get a IP address that was not previously in use.. But if you
turn on the machine some time later (this can vary from 5 minutes to 2
hours , depending on the server) , you could get the same IP address...
The idea behind restricting the firewall rule to allow access only to
machines in the 10.0.0.* range is that only people in that range will be
able to access your printer , samba shares , ssh server , etc.. With a
rule like the one you posted originally (allowing 10.0.0.0/5) , anyone
from 10.1.1.* could access your machine... (of course , this isnt such
an issue , since the 10.*.*.* range is assigned by IANA for private
network usage and most switchs/routers wouldnt send/accept anything from
the outside world pretending to be from your network)
In fact , *if* your ADSL router provides a firewall , you *maybe* could
simply disable iptables *if* the firewall on the router is good enough...
Btw , you have to take in consideration that I'm paranoid ... Being a
sysadmin on the computer science department on the university where I
study was something kinda hard (after all , every single student has all
the necessary knowledge to wreak havoc on the network ...) so I became a
bit too much paranoid about security....
>As far as I can see, with the 3-4 machines I have on my little LAN, it's
>not worth assigning fixed addresses?
>
>
It depends.. I preffer to have fixed addresses.. Since my brother runs
linux 100% of the time and sometimes I need to access data on his
computer when I'm on windows , I need to know the IP address he uses...
Also , if you want to open a service to the outside world (or you need
to open a port for bittorrent , for example) you'll probably need a
static IP... Most cable/adsl routers cant make port forwarding to
dynamic addresses.... Since I have a few services running here , I must
have a static IP...
But DHCP helps a lot , since it removes the burden of configuring all
machines on the network... Nothing is simpler than plug in the cable ,
run ifdown eth0; ifup eth0 (or ipconfig /renew on windows machines)...
--
Pedro Macedo
More information about the fedora-list
mailing list