View Single Post
  #9   (View Single Post)  
Old 30th June 2011
Randux Randux is offline
Disgruntled desktop user
 
Join Date: May 2008
Location: Siberia
Posts: 100
Default

Quote:
Originally Posted by jggimi View Post
What do you mean be "orphan"? You could put your Windows platform on its own isolated subnet, so that it lives in its own DMZ, and cannot route packets to your valued, trusted subnet. To do this, you would need to replace your little router with something more capable (such as OpenBSD), or add an additional router (such as OpenBSD) just for the Windows platform. You would architect separate physical networks, with no valid routes between them.
Ah now we're getting somewhere. Yes, I would like to learn more about subnets and managing them. I don't know what DMZ is either, but I would like to keep the windows box off my lan in the sense that is as untrusted as anything else outside the lan. I have some books on PF but I don't know the basic concepts to where those books are helpful yet. Do you have any recommendations on "executive concepts" reading where I can get enough info to be conversant and at least know what I want to do and how to ask questions about it even if I don't understand how those things happen? I have a day job and a family and I can't learn to be a real network admin but I would like to know enough focused information to secure and manage my own little network.

Quote:
Originally Posted by jggimi View Post
Of course, if you do that, the Windows platform cannot communicate with services you might eventually want to offer it on the more trusted LAN, such as printers, web, or file servers. Using PF (if OpenBSD were a router), you could limit connections to just those you wish. But the services you permit might provide a vector into your trusted LAN -- it will be dependent on the services you allow, and what kind of vectors they might offer an attacker who has command and control of the Windows platform.
I realize that and at this point having the windows box totally off my lan is fine. The only reason it's there is because it has to get to the internet and I have only one crappy connection.

Quote:
Originally Posted by jggimi View Post
Do you mean network traces? Kernel traces examine process and system calls from applications, not network traffic.
I used the wrong terminology, in the past I noticed log messages with "kernel" on them and some outside ip addr I didn't recognize. If I have any in my syslog I'll post them later.

Quote:
Originally Posted by jggimi View Post
In any case, with a NAT router in front of those Linux boxes, you would expect incoming traffic through the router only for established sessions, initiated by the associated Linux box.
Yes, that's why I didn't like the looks of those messages.

Thanks for taking the time to explain this stuff.
__________________
BSDForums.org refugee #27
Multibooting with LILO
Reply With Quote