Re: FireHOL Question

To: Daniel Pittman <daniel@rimspace.net>, debian-firewall@lists.debian.org
Subject: Re: FireHOL Question
From: Mike Mestnik <cheako911@yahoo.com>
Date: Wed, 22 Sep 2004 23:12:17 -0700 (PDT)
Message-id: <[🔎] 20040923061217.19904.qmail@web11906.mail.yahoo.com>
In-reply-to: <[🔎] 87y8j1ipbg.fsf@enki.rimspace.net>

--- Daniel Pittman <daniel@rimspace.net> wrote:

> On 23 Sep 2004, Mike Mestnik wrote:
> > --- Daniel Pittman <daniel@rimspace.net> wrote:
> 
> [...]
> 
> >> Just a quick question: are you sure you don't want to give those LAN
> >> machines a public IP address, and use standard IP forwarding?
> >>
> >> Others have suggested, of course, the use of the 'dnat' function with
> >> firehol to perform the address transformation.  
> >>
> >> Also, note that using NAT means that accessing those public addresses
> >> within the LAN will not work without significant and annoying work on
> >> your part.
> >
> > Documented here:
> > http://wiki.debian.net/index.cgi?Firewalls-dnat-redirect
> >
> > Now that I think of it, there are some of the same problems with using
> > external IPs on an internel network. Though the default setup is
> working,
> > ok, and valid.
> 
> Exactly which of the same problems do you see with using external IP
> addresses on the internal network?
> 
I don't nkow if it made the WiKi, but it's not optimal to have 'a case
where' ICMP redirects are sent.  In this case I'm talking about the would
be where eth1 is the internal device and it is both '-i' and '-o' in teh
forward chains.

> You see, as long as NAT is not involved, this is the way the Internet
> has worked since the introduction of IP, so whatever issues you think
> you see are ... difficult to imagine.
> 
I'm only talking about for local clients, on the same(or downstream)
ethernet as the server.

> 
> If there is some description of the problem you see on that page in the
> wiki, I cannot locate it.
> 
"All packets then go through this path. This works, but involves the
firewall in all of the traffic."  In this case it's only 1/2 true, but
then only if the ICMP redirects are ignored or not sent.

> I have, however, started to rewrite it to make it easier to find actual
> information in there.
> 
Thank you for the help.

If you get to this b4 me...
"1. Talk to the right IP address. 2. Force all packets to go back through
the firewall machine.

"
> 
> So, if you could spell out which problems you imagine would be
> encountered by not using NAT, that would be great.
> 
There are many, though I don't think too many of them have todo with what
I think you are talking about.

> Regards,
>        Daniel
> -- 
> The length of a film should be directly related to the endurance of 
> the human bladder.
>         -- Alfred Hitchcock
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 
> 



		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com

Reply to:

References:
- Re: FireHOL Question
  - From: Daniel Pittman <daniel@rimspace.net>

Prev by Date: Re: FireHOL Question
Next by Date: Claims, or demands for payment can now be answered legally
Previous by thread: Re: FireHOL Question
Next by thread: Re: FireHOL Question
Index(es):
- Date
- Thread