-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 We have shorewall behind a NAT router (belt and suspenders). This is wonderfully secure, but I never get to see who is attempting anything nasty. I had thought of aliasing, let''s say 192.168.0.50 to the NIC behind the router and setting the router to treat that IP as a DMZ. That should allow me to see what is happening and yet have an IP I can kill without disrupting any thing else. Now, if that makes sense, I''d like to go a step further and use labrea or some other tarpit, and create some rules to allow this. Since I''ve never done this before, I thought I''d ask if this was sane, and if so, what the appropriate shorewall rules might be. If it is a really dumb idea, feel free to tell me so. - -- Robin Lynn Frank Director of Operations Paradigm-Omega, LLC =====================Having realized I will not achieve greatness, I''ll settle for anonymity. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Sed quis custodiet ipsos custodes? iD8DBQFA/AYeo0pgX8xyW4YRA3lDAKCBVQLS4WiJKdzSOAHFnHxSn680IACdGhwa NeEQnxXTBphjp787RJYvZxo=mA1Q -----END PGP SIGNATURE-----
On Mon, 2004-07-19 at 10:34 -0700, Robin Lynn Frank wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > We have shorewall behind a NAT router (belt and suspenders). This is > wonderfully secure, but I never get to see who is attempting anything nasty. > > I had thought of aliasing, let''s say 192.168.0.50 to the NIC behind the router > and setting the router to treat that IP as a DMZ. That should allow me to > see what is happening and yet have an IP I can kill without disrupting any > thing else. > > Now, if that makes sense, I''d like to go a step further and use labrea or > some other tarpit, and create some rules to allow this. > > Since I''ve never done this before, I thought I''d ask if this was sane, and if > so, what the appropriate shorewall rules might be. > > If it is a really dumb idea, feel free to tell me so.The idea seems rather suspect to me. If you were planning on setting up a honeypot, there might be some validity to it, but otherwise I think you are just creating more work for yourself. Personally, I don''t find much security in those home routers especially if I have something considerably more powerful such as a Linux box with Shorewall. In this scenario, I would just drop the exterior NAT box and put the Shorewall box at the perimeter. This would also remove a hop and single point of failure. -- David T Hollis <dhollis@davehollis.com>
Robin Lynn Frank wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > We have shorewall behind a NAT router (belt and suspenders). This is > wonderfully secure, but I never get to see who is attempting anything nasty. > > I had thought of aliasing, let''s say 192.168.0.50 to the NIC behind the router > and setting the router to treat that IP as a DMZ. That should allow me to > see what is happening and yet have an IP I can kill without disrupting any > thing else. > > Now, if that makes sense, I''d like to go a step further and use labrea or > some other tarpit, and create some rules to allow this. > > Since I''ve never done this before, I thought I''d ask if this was sane, and if > so, what the appropriate shorewall rules might be. > > If it is a really dumb idea, feel free to tell me so.Strikes me as a proposal to let the Barbarians through the outer gates so that you can take their pictures. Once you''ve done that, any benefit of having two sets of gates seems to have been lost. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Monday 19 July 2004 11:25, Tom Eastep wrote:> Robin Lynn Frank wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: RIPEMD160 > > > > We have shorewall behind a NAT router (belt and suspenders). This is > > wonderfully secure, but I never get to see who is attempting anything > > nasty. > > > > I had thought of aliasing, let''s say 192.168.0.50 to the NIC behind the > > router and setting the router to treat that IP as a DMZ. That should > > allow me to see what is happening and yet have an IP I can kill without > > disrupting any thing else. > > > > Now, if that makes sense, I''d like to go a step further and use labrea > > or some other tarpit, and create some rules to allow this. > > > > Since I''ve never done this before, I thought I''d ask if this was sane, > > and if so, what the appropriate shorewall rules might be. > > > > If it is a really dumb idea, feel free to tell me so. > > Strikes me as a proposal to let the Barbarians through the outer gates > so that you can take their pictures. Once you''ve done that, any benefit > of having two sets of gates seems to have been lost. > > -TomWell, since you put it that way, I guess I will file that idea under bad idea #1,101,238. Maybe I can tweak the NAT router''s alleged reporting capabilities, instead. (Now, if I can only get the barbarians to smile as I take their picture...) - -- Robin Lynn Frank Director of Operations Paradigm-Omega, LLC =====================A bureaucrat''s idea of cleaning up his files is to make a copy of everything before he destroys it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Sed quis custodiet ipsos custodes? iD8DBQFA/Bs9o0pgX8xyW4YRA8sqAKDZK/FtrMIQWjcE0CbCiV3dwP2l7wCcDGLI eZmPgpuU+YWcDslWQwUofLo=BZaz -----END PGP SIGNATURE-----