RE: FW: Help! ipmasqadm problem - Help its still not working

To: Brian Kimsey-Hickman <kimhick@mpinet.net>
Cc: Michael Wood <wood@kingsley.co.za>, debian-firewall@lists.debian.org
Subject: RE: FW: Help! ipmasqadm problem - Help its still not working
From: Manfred Wassmann <manolo@NCC-1701.B.shuttle.de>
Date: Thu, 15 Feb 2001 11:05:42 +0100 (CET)
Message-id: <[🔎] Pine.LNX.4.21.0102151102180.17858-100000@NCC-1701.localnet>
In-reply-to: <[🔎] 000601c09691$8f1646c0$ae041eac@cq55595.comptroller.co.orange.fl.us>

On Wed, 14 Feb 2001, Brian Kimsey-Hickman wrote:

> Date: Wed, 14 Feb 2001 09:22:28 -0500
> From: Brian Kimsey-Hickman <kimhick@mpinet.net>
> To: Michael Wood <wood@kingsley.co.za>, debian-firewall@lists.debian.org
> Subject: RE: FW: Help! ipmasqadm problem - Help its still not working
> Resent-Date: Wed, 14 Feb 2001 15:23:54 +0100 (CET)
> Resent-From: debian-firewall@lists.debian.org
> 
> Thanks, for the advice.  Actually I do need to MASQ both incoming and
> outgoing packets.  I have not mentioned this in previous postings but this
> new firewall is set up on a second T-1 line.  I have an old T-1 and firewall
> that will be dropped a few weeks after this one is up.  If I don't mask the
> incoming then when the web server responds the routers will send that
> traffic out through the old T-1.  In the final product I was going to set
> the forward policy to DENY or REJECT and have two lines that would MASQ port
> 80 incoming and outgoing.  After the old T-1 is dropped then that could be
> changed.  I had not thought of it before you mentioned it but is it possible
> to MASQ both incoming and outgoing?
> 
> Thanks for the input,

Here are my thoughts about your problem:

1) You can't solve routing problems with firewall rules.

2) You do NOT need IP masquerading with portforwarding in any case. The    
reply to a forwarded packet will be sent back to the forwarding host not
to the original source address. Read
/usr/doc/netbase/ipmasqadm/README.portfw.gz (at least on Debian;-)
for details.

3) When you masquerade incoming packets you don't have a "wide open
firewall", you have something worse than no firewall at all. You are
preventing attackers from being recognised. The only case an external
packet is masqueraded is when it has a destination address in your
internal network. As you use private addresses for these networks which
are never routed across networks this can only be the case if someone
manually routes it to your external interface. Who else than an attacker
would do that?

HTH manolo

-- 
PGP and GnuPG public keys available at http://germany.keyserver.net
PGP: 24B81049 Fingerprint: D7 10 EE 2B 74 16 C0 64  B4 5F BA B2 90 29 3D AF
GPG: 6B299971 Fingerprint: A598 A41F 57A3 5D69 83D2  8027 1274 F8CD 6B29 9971
+++ United States of America ... where you can get elected with less votes +++

Reply to:

References:
- RE: FW: Help! ipmasqadm problem - Help its still not working
  - From: "Brian Kimsey-Hickman" <kimhick@mpinet.net>

Prev by Date: Re: FW: Help! ipmasqadm problem - Help its still not working
Next by Date: RE: FW: Help
Previous by thread: Re: FW: Help! ipmasqadm problem - Help its still not working
Next by thread: Re: FW: Help! ipmasqadm problem - Help its still not working
Index(es):
- Date
- Thread