Autor: Harry Putnam Datum: To: exim-users Betreff: Re: [Exim] Home network mailhub
Phil Pennock <Phil.Pennock@???> writes:
First off: Phil, your comments have been very helpfull and
informative. At this juncture it appears that I read read read and
experiment to get something beyond the basic working setup. I think
you've provided and outline and method to do that if want to continue
into it.
Thanks for that.
Now just a little more about this source-routing stuff:
>> > It depends. How are the internal addresses reachable? The NAT box
>> > _does_ prevent source-routing, yes?
>>
>> I don't really know what source-routing is. Maybe a description of
>> what I see happen will provide enough clues for you to tell.
>
> In this context, loose source routing, as described in RFC 791. The
> originating machine sends packets to your private addresses, specifying
> a route of your gateway box. If enough systems pass this on unmolested
> for the packet to reach you, and your gateway box supports this, then
> the gateway would then pass the packet onto your internal machine,
> despite there not being a route to that box on the general internet.
>
> In this day and age, simply don't accept any source-routed packets.
> Much safer. Your kernel will have some means of checking. If Linux,
> it's something under /proc. If derived from BSD4.4, then a sysctl
> variable.
>
> Hopefully, your vendor is clued enough to have disabled it. But since
> you're being paranoid, your paranoia is better spent double-checking
> these things than worrying about RFC1918 addresses inside Received:
> headers. Trust me on this, I'm a paranoid. ;^)
In this case my kernel comes into play only after the firewall. Which
is a NETGEAR FR314. This is sort of the high end of the low end home
use dsl/router/firewalls. Its fairly new (within the past year). I
don't remember seeing any settings that mention source-routing by that
name, but I suspect it would be a standard thing to have rejected at the
firewall. Apparently source-routing is recognizable or has somekind
of signature? How might I test this?
specifying a route of your gateway box'
How does one do that? If I were to ssh to a machine on the internet
where I have an account, what would I fireoff at my home IP to try
that? That is, how does one specify a route to the IP number but aim
at the internal IP names/numbers?
I have nmap'ed the IP address, before and found only port 22 open.
> If you're dealing with a system carrying officially classified data,
> then the rules change and my analysis might well not be acceptible. If
> this applies, then a public mailing-list isn't the place to be asking.
> :^)
I see that you've guessed, I'm spearheading research for President
Bush's war...... So you think I shouldn't get into the security
details here then eh? :-)