DSL stuff (was Re: [SunRescue] Re: Help!)

Scott Newell rescue at sunhelp.org
Sat Apr 21 14:09:51 CDT 2001


>and if you are directing boxes 1 and 2 with private IPs to use box 3
>with a public IP as the gateway and box 3 uses the DSL modem as its
>gateway (or any combination thereof), you have mixed Public and Private
>which is not a good idea as all the boxes are exposed. If the DSL modem
>is permitting private address space ranges in and out, then you have a
>real problem. Someone could source route and come in uninvited. If your

Agreed.  (This is my setup--it does look totally insecure at first glance.)
 But what about PPPoE?  All the private LAN machines can ping and telnet
the DSL modem, but the modem won't bridge any traffic out to the public
unless it's encapsulated in a PPP frame.

Taking this one step farther--how can I test or monitor to see if the DSL
modem _does_ allow an outsider to access my private machines?  

Should I be looking for IP packets with the modem's MAC address but with an
destination IP address of something _other_ than my Linux router/firewall?
(Is there a good tool to do this kind of filtered analysis?)

Take down roaring penguin for a day and see if the modem generates any
traffic?  (That probably won't work--the telco will release my dynamic IP
if I drop the connection.)


>dslmodem itself is subject to compromise- a possibility demonstrated by
>the recent Alcatel gaffe- the entire LAN is totally open. Generally,
>only secured hosts should be exposed.

That reminds me...I'd changed my modem's IP address from the default so
that I could telnet in and monitor my line quality (shhh, don't tell SBC).
I think I'll change the default password too, just in case.


>+ $.02

Much appreciated!


thanks,
newell




More information about the rescue mailing list