[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: man-in-the-middle

--- Hans du Plooy <hansdp@newingtoncs.co.za> wrote:

> On Thursday 07 October 2004 14:30, maarten wrote:
> > Can you elaborate more on the network setup ?  I'm confused; if the
> > machines are on the same subnet, you can't prevent them from talking
> to
> > each other directly.
> Sure, they're not on the same subnet (unless you see the internet as one
Well, for all practical reasons thay MUST be.  If there not then you don't
need nat, proxy_arp, or bridging.  You just route and then the client gets
what thay wanted/asked for, smoke and mirrors.  I'm talking about a magic
trick, thought to sell it have to fudge facts.

For the impractical where A can talk directly to B while on diffrent
subnets, then proxy_arp will work best.  This way your 'client' won't be
able to see the MAC address of B while on computer A.

> subnet).  They are both on public IPs - but for reasons that were not 
> disclosed to me, they're not allowed to talk to each other directly,
> even 
> though they can (I know, I'm itching to find out why too!).
With out knowing WHY thay can't talk it's imposible to find a way for them
to talk, unless you manage to hit the right keys. :)

This realy sounds like they have NO IDEA what networking two computers
will do.  In any event you can just setup DNAT for both computers, then
for the SNAT connection tracking will fill it in.

Ther are 3 vary good options thjat are better, two are vary simular
ethernet based solutions.  The other is regular IP based routing.

> Hence the box in the middle, which has two public IPs, so its basically
> just 
I don't think turning on IP aliasing would be a good idea.  You can use
farpd(user based IP takover) to handel the proxy_arp.

> getting the box in the middle to act as a proxy of sorts between the
> other 
> two (I do not know what the software is either - if it's something like 
> Postfix there would be much cleaner ways to do this, but I don't know) 
> without them knowing.
Is a TTL deincrement, you can easily block the ICMPs that traceroute uses,

> > If they're not, there is a router somewhere, and 
> > adding your box will certainly complicate the setup, both for you and
> for
> > the router-person. Also, does your box in the middle have one or two
> NICs ?
> Two, each with a public IP.  I do not have the IPs yet, I'll only be
> given 
> that when I'm taken to the server room (no idea why) but I need to know
> that 
> I can do this before I waste my and the client's time going there.
"ifconfig up" is handy when you don't have an IP.

> > The thing is, if you just bridge everything, there is little use, is
> there.
> > The real question is _why_ do you need the box in the middle.  If all
> it
> > should look like to the boxen is just thin air, I don't see what
> (legal)
> > purpose that box would serve. Is it for protection ? Monitoring ?
> I wish I knew.  It's pretty senseless.
> > On that note: Do boxes A and C know that there is something in between
> them?
> No, they shouldn't - that's the idea.  They are to believe that they are
> talking directly to one another, while they're actually talking to a
> linux 
> box <evil grin :-> that's passing the message on, pretending to be the 
> sender.  I hope that makes sense
Proxy_arp satisfies all of these requierments, just at the ethernet not IP

> Thanks for your replies
> -- 
> Kind regards
> Hans du Plooy
> Newington Consulting Services
> hansdp at newingtoncs dot co dot za
> -- 
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org

Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.

Reply to: