FW: [sclug] Firewalls

lug at assursys.co.uk lug at assursys.co.uk
Sat Oct 25 09:05:31 UTC 2003


On Wed, 15 Jan 2003, Tom Dawes-Gamble wrote:

> lug at assursys.co.uk wrote:
> > On Wed, 15 Jan 2003, Tom Dawes-Gamble wrote:
> > 
> >>tim wrote:
> >>
> >>>2. Could not seem to get the NAT working on ipcop. My local addresses
> >>>192nnnnnn seemed to leak out into the net, which seemed good in some ways
> >>>in that sites thought my ip address was 192 etc, but bad in the fact that
> >>>I was not doing it deliberately and I am sure its not good generally.
> >>>
> >>
> >>Strange.  I would have thought that if your 192. adddress leaked
> >>out then the connection would fail since the remote end would not have a
> >>route to your 192.
> > 
> > 
> > I agree entirely. Of course, it's entirely possible that the Tim was
> > referring to, say, a website that uses a bit of Java(Script) to determine
> > the end-client's IP address. That won't be detected or NATted by any of the
> > NAT solutions I've come across...
> 
> Yes,  but NAT sould only change the envelope part of the packet and not the
> contents.

That depends. It's impossible to get some protocols (non-PASV FTP being the
most notable) working without modifying the payload. Yes, this is prone to
error - consider what happens to the size of the packet if the client
address is 1.2.3.4 and the NATted address is 111.122.133.144. Now consider
what happens if the payload was already of size (MTU-40)...

> Last night I managed to get VPN working from my behind my ipcop firewall
> to our company intranet.  How ip_masq_ipsec.o enables that is PFM to me.

Presumably you're using the Encapsulation Security Payload (ESP) protocol in
transport mode to implement your VPN.

If you were using AH, or ESP in tunnel mode, this shouldn't work.

If you try establishing more than one VPN from different clients behind your
firewall to the same endpoint, that shouldn't work either.

> Tom.

Best Regards,
Alex.
-- 
Alex Butcher        Brainbench MVP for Internet Security: www.brainbench.com
Bristol, UK                        Need reliable and secure network systems?
PGP/GnuPG ID:0x271fd950                           <http://www.assursys.com/>



More information about the Sclug mailing list