Re: Validating NT thought a natting firewall

To: Leonardo Boselli <leo@dicea.unifi.it>
Cc: "lists.debian.org debian-firewal" <debian-firewall@lists.debian.org>
Subject: Re: Validating NT thought a natting firewall
From: Mike Mestnik <cheako911@yahoo.com>
Date: Thu, 27 May 2004 03:32:51 -0700 (PDT)
Message-id: <[🔎] 20040527103251.5428.qmail@web11908.mail.yahoo.com>
In-reply-to: <[🔎] Pine.LNX.4.21.0405271153290.16470-100000@dipolo.dicea.unifi.it>

I's basicaly what you have now exepet instead of using IP aliasing(ethx:y)
you use proxy_arp(echo 1 > /proc/sys/net/ipv4/conf/eth*/proxy_arp).  This
instructs linux to respond to arp requests for the 4 fierwalled servers. 
Once this is done trafic will pass thought the fierwall invisably as
tohught it where a switch.  You need to set proxy_arp on both interfaces
so that every one will 'talk' throught the fierwall.

--- Leonardo Boselli <leo@dicea.unifi.it> wrote:
> On Thu, 27 May 2004, Mike Mestnik wrote:
> > I think you have this backwards, are you talking about --to-source or
> > --source?  I'm also wondering why not just use proxy-arp(setup with
> the
> > arp cmd) and setup the internal IPs tobe what the external IPs are? 
> This
> > way the router can focus on fierwalling trafic and not needing todo
> any
> > nat.
> 
> Proxy-arp would mean that in the "satellite" submet i would have 4 hosts
> with address not in that net. No problem giving to these hosts 2
> addresses, unless it could break some other things. BTW if someone 
> from 192.168.19.66 try to access a.b.c.194 that is inside that net, even
> if has a second address 192.168.19.194 ?
> PS: do you have an howto un proxy-arp option ?
> > 
> > You should be using...
> > iptable $OTHEROPTS -i eth<to world> --destination <IP.ext> DNAT
> > --to-destination <IP.int>
> > 
> > iptable $OTHEROPTS -o eth<to world> --source <IP.int> SNAT --to-source
> > <IP.ext>
> > 
> > Then use "-t filter -? FORWARD" to setup all your allow/deny/drop
> rules. 
> > Also don't forget to use "-m state NEW" and "-m state
> ESTABLISHED/RELATED"
> > for conection traking to take effect(so I'm told).
> > 
> > --- Leonardo Boselli <leo@dicea.unifi.it> wrote:
> > > On Wed, 26 May 2004, Mike Mestnik wrote:
> > > > K, use "iptabels -nvLt nat" too see what rules are being used. 
> Also
> > > use
> > > > tcpdump or iptaf to see what traffic is not getting passed.
> > > 
> > > no rules added . the only odd thing (but this is wanted) is that
> DNAT
> > > require source to be in a.b.c.0/24 while SNAT require destination to
> be
> > > anything. *so i can access into the hosts only fronm localnet, while
> thy
> > > can start connections to every host in the net).
> > > PDC and BDC are a.b.c.11 .13. 15. .17 .19 !
> > > PS: GW uses kernel 2.4.26 , not 2.4.25
> > > 
> > 
> > 
> > 
> > 	
> > 		
> > __________________________________
> > Do you Yahoo!?
> > Friends.  Fun.  Try the all-new Yahoo! Messenger.
> > http://messenger.yahoo.com/ 
> > 
> 



	
		
__________________________________
Do you Yahoo!?
Friends.  Fun.  Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/

Reply to:

References:
- Re: Validating NT thought a natting firewall
  - From: Leonardo Boselli <leo@dicea.unifi.it>

Prev by Date: Re: can an 'unstable' system be made secure?
Next by Date: Re: can an 'unstable' system be made secure?
Previous by thread: Re: Validating NT thought a natting firewall
Next by thread: RE: Home Server!
Index(es):
- Date
- Thread