IP Masquerading does not prevent modification of web server scripts. It simply prevents external access to your internal network. IP Masquerading is the basic principle of both firewalls and of Proxy servers. Your internal machines pass their request to the server which sends it using it's own IP to the server while at the same time logging which internal address that message belongs to. Then when it recieves a response it sends it through to the approriate internal address. This means your internal addresses are not sent over the internet (only the one external address). Furthermore their are IP ranges that cannot be sent on the internet (no internet router will (should) pass them) such as the 10.x.x.x range. If you use such a range for your internal addresses then to get access to the internal network a hacker must hack your Proxy\Firewall server as only it can talk to your internal network. As far as I know it's not possibly to block this sort of thing as it is designed to be undetectable to external servers for security reasons. If you use a Microsoft Proxy you can even have reverse proxying whereby you can have a server running on an internal machine and Proxy Server will forward it to the appropriate internal server based on service (i.e. you assign an internal IP as your SMTP server and all access to Port 25 on the external server is forwarded to the designated internal address). Tom. -----Original Message----- From: Mike Werner [mailto:reznaeous@EARTHLINK.NET] Sent: Tuesday, February 15, 2000 3:40 PM To: PICLIST@MITVMA.MIT.EDU Subject: Re: [OT] IP Masq / IPChains (was Internet Toaster) On Mon, Feb 14, 2000 at 11:09:31PM -0500, Randy Glenn wrote: > I'm not so sure about IPCHAINS - soon, your broadband providers might not let you use it. Ipchains is a packet filtering / firewalling package. That's the kind of thing that *needs* to be run more often, as that's what helps block out those script kiddies. > @Home only lets me use their web page and email from the computer connected directly to > the cable modem - not the other 4 behind that computer! Unless, that is, you pay for extra > IP addresses... to a maximum of 2 extras per cable "modem"... We're on a dial-up, but they supposedly only allow one connection. However through the magic of proper IP Masquerading there's no way for anyone outside of our LAN to tell that there's 2 or 3 systems going out to the 'net through our one modem. And according to reports this same system works quite well with the various DSL and cable modem services, including @home. -- Mike Werner KA8YSD | "Where do you want to go today?" ICQ# 12934898 | "As far from Redmond as possible!" '91 GS500E | Morgantown WV | Only dead fish go with the flow.