[Gllug] Firewalls

Matthew Thompson matt at actuality.co.uk
Tue Feb 18 14:31:45 UTC 2003


On Tuesday, Feb 18, 2003, at 14:06 Europe/London, Tethys wrote:

> Just run a transparent bridging firewall. There's a tutorial on how
> to do this with OpenBSD here:
>
> 	http://www.daemonnews.org/200103/ipf_bridge.html
>
> It's probably fairly simple to do the same with Linux, but OpenBSD's
> always been fine for all my firewalling needs, so I've never really
> looked into what Linux can do in that area.

How similar are OpenBSD and Linux for networking? I'm not adverse to 
using OpenBSD

> Just curious... what does it do that doesn't work with NAT? Are you
> sure it doesn't work with NAT, or does it just not work with Cisco
> NAT? Rather than doing true packet rewriting, Cisco routers have a
> habit of just encapsulating the original packet, which means the
> destination machine can see that it's been NATed. If the packet's
> being properly rewritten, the app doesn't know unless the application
> level protocol embeds IP addressing information as well (which is
> pretty rare).

The NAT was provided by Shorewall. The VPN that doesn't work with it is 
Checkpoint's Firewall 1 windows client. A different VPN set up using 
KAME on Mac OS X works through the NAT perfectly.

It looks as if Firewall 1's software reports the IP address of the 
interface as the point to which the tunnel should be setup rather than 
setting it up to the true originating interface. As such the PC always 
had a private address and the firewall was trying to route to that 
rather than the public address of the firewall at our end.

Bloody ISPs why can't they start using IPv6?

M at t :o)


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list