[rescue] Putting an insecure machine on a network

Patrick Giagnocavo patrick at zill.net
Sat Mar 18 12:28:40 CST 2006

On Sat, 2006-03-18 at 12:19, Sheldon T. Hall wrote:
> I need to connect to my network a completely insecure machine that cannot be
> secured.  I want to isolate it in a way that prevents it from connecting to
> anything but one address over the Internet, and do so in a way that cannot be
> subverted without physical access to the machine.
> I'm on DSL, and have one fixed IP address.  Behind that, a typical DSL modem
> with NAT and various port forwarding to my servers.
> I have a Sun SPARCclassic running Solaris 7 that has two NICs. One is on my
> internal network, the other is unused. Is there a way I can activate the
> second NIC and "lock" it in a way that any machine connected to it only has
> access to one IP address on the Internet, and no access to the Sun itself or
> to any machine on my network?

IPFilter plus a non-routable IP on the insecure machine, plus (optional)
an SSH tunnel that goes from Internet machine to insecure.


Router:, netmask

NIC 0:, netmask
NIC 1: netmask or something similarly oddball
IPFilter set up appropriately, blocking all access except to the
external IP
static ARP entry of insecure's MAC address into /etc/ethers

Insecure machine:, netmask

crossover cable from insecure to NIC 1

The ssh tunnel from Internet machine is optional.  IIRC you would set
sshd_config to AllowTcpForwarding=yes and GatewayPorts=yes on the
Solaris box, then use the -R and -L port forwarding commands in
combination to allow tunneled traffic from the remote IP to pop out on
the 10.1.1.x network.

if someone gets root on your Solaris box 
if someone can sniff traffic on your local switch they can probably get
the data (by rooting another machine or your little DSL router)
double-NATing may or may not cause an issue and needs to be tested
if all you need is connections initiated by insecure to the other
machine this may be overkill


More information about the rescue mailing list