Very Computer

Hello,

I'm going to have cable modem installed in my home private network.
Right now, I'm using PPP dialup to serve the rest of the machine at home
by IP Masq. I want to know what is the best way (in terms of security)
to go for the configuration 'cos I heard that IP Aliasing can be used
without installing extra network adapter in the server. On the other
side, people have opinion that it would be security problem if do it in
single NIC... Please feel free to tell your opinion. Thanks.

Kelvin

*** Here is an opinion:

    (assumes you have 2 or more pc's all wanting
     to share the cable modem link)

    First the cost of a perfectly adequate nic
    is $30 (note that a cable modem peaks out at
    something like 500K bytes per sec download and
    100K upload so no reasonable nic will be a
    bottleneck, and no payoff for paying
    more either)

    Second, although you *for sure* should chose
    IP numbers in the private  non-internet-routed
    ranges (eg 192.168.x.x) for all your internal
    pc/nics - all your internal traffic on that
    physical subnet does potentially go up
    the cable modem link -- and all the pc's on
    your internal link are exposed to every packet
    that comes from the modem.  If your kid wants to
    change ip # settings on his pc, you have no way
    to prevent him or limit the consequences of what
    he does to his pc -- in other words you have no
    real 'firewall' or even a single point of contact
    with a potentially agressive universe.

    Third,  your ISP and other cable modem users on
    your cable leg will not like you polluting the
    'shared ether' with your internal traffic.

    Fourth, some ISPs use a dhcp to supply IP#s to
    clients (for ISP gatweay and dns).  The single
    nic approach prevents you from running your own
    dhcp server to transparently replace this function
    for your clients    

    Thus in my view - use 2 nics
     -it's a no-brainer

Jim

Actually I don't think it's paranoid to have two NIC's. Consider the following
possibility:

You get two or more Linux savvy users on a cable modem segment. While it's
true that the 192.168.0.* address are not routed, the router is at the head
of the segment. So with a single NIC 2,3 or more people can have 192.168.0.*
packets floating around, which could possibly start interefering with each
other. And it would be a * to debug too...

I'd stick to the convention that nothing but valid IP's go out the cable modem
because you don't know what's going on with the cable modem segment. Even
if other users are sending private packets on the segment, with a properly
configured masquerading box sitting between the modem and the internal network,
those packets will not affect you...

Spend the $20-$30 to get another NIC and sleep easy.

BTW a question about cable modems: I presume that when the cable goes out due
to storms and whotnot, that the Internet service goes offline too?

BAJ
--
Another random extraction from the mental bit stream of...
Byron A. Jeff - PhD student operating in parallel - And Using Linux!

Quote:>I'm using one NIC to connect to a hub which then has the cable modem
>plugged into it, as well as a printer.  The printer I have on a
>192.168.0.* address, which means it won't get routed to the outside
>world.

--

_________________________________________________________________________
The above opinions are my own and not those of ISM Corp., a subsidiary of
IBM Canada Ltd.