Re: [cobalt-security] Might be off topic. Are computers with168.192.x.x safe from Internet?

[shimi <shimi@xxxxxxxxxxxxxxxx>]

On Sat, 2 Jun 2001, jwk at Zone Alpha wrote:

> 
> ----- Original Message -----
> From: shimi <shimi@xxxxxxxxxxxxxxxx>
> 
> > TO MAKE SURE, you have to set YOUR ROUTER, that is, the one plugged to the
> > switch, to accept all packets destinated to you (or, to even block some of
> > them, for instance Netbios and stuff) - and all the others to be dropped.
> >
> > That way you can ensure that no packets will arrive to your 192.168 boxes.
> >
> > HTH,
> >
> > - shimi.
> 
> So, if I set up the router filtering rules so that it will accept traffics
> only to my static IPs and block all others, will my private-IP-only machines
> be safe from intruders?  Or could you perceive any possible way someone can
> perhaps hack into public machines with telnet or ftp server and access
> internanal Windows NT server?  Even with firewalls, if some hacker still
> gets into public machines, are internal machines with only private IP
> addresses vulnerable or are they ABSOLUTELY safe?  This question has been
> bothering me and has forced me to keep the public and private segments
> physically separated to date.
> 
> James Kim

Direct access through the router will be indeed blocked.
If someone brakes into a system that has access to one of your local ones,
yes, he could access them too.
In order that NO matter what happens, your 192.168.* should stay
untouchable, the truth solution would be a NAT firewall, bascailly a lame
linux box, that has NO PORT open AT ALL (and thus untouchable, no matter
what) and an IPChains rule to MASQ any packets coming from 192.168.0.0/24
that way they have full internet out, and nobody can get in I have no
"grade" or anything about security, so take my words "as is".
basically i am correct if it's not possible to hack into a machine without
listening ports. if I am wrong - I stand to be corrected.

HTH,

- shimi