FW: [sclug] Firewalls

Mark Smiles msmiles at agere.com
Sat Oct 25 09:05:31 UTC 2003



lug at assursys.co.uk wrote:

>On Wed, 15 Jan 2003, Tom Dawes-Gamble wrote:
>
>  
>
>>lug at assursys.co.uk wrote:
>>    
>>
>>>On Wed, 15 Jan 2003, Tom Dawes-Gamble wrote:
>>>
>>>      
>>>
>>>>tim wrote:
>>>>
>>>>        
>>>>
>>>>>2. Could not seem to get the NAT working on ipcop. My local addresses
>>>>>192nnnnnn seemed to leak out into the net, which seemed good in some ways
>>>>>in that sites thought my ip address was 192 etc, but bad in the fact that
>>>>>I was not doing it deliberately and I am sure its not good generally.
>>>>>
>>>>>          
>>>>>
>>>>Strange.  I would have thought that if your 192. adddress leaked
>>>>out then the connection would fail since the remote end would not have a
>>>>route to your 192.
>>>>        
>>>>
>>>I agree entirely. Of course, it's entirely possible that the Tim was
>>>referring to, say, a website that uses a bit of Java(Script) to determine
>>>the end-client's IP address. That won't be detected or NATted by any of the
>>>NAT solutions I've come across...
>>>      
>>>
>>Yes,  but NAT sould only change the envelope part of the packet and not the
>>contents.
>>    
>>
>
>That depends. It's impossible to get some protocols (non-PASV FTP being the
>most notable) working without modifying the payload. Yes, this is prone to
>error - consider what happens to the size of the packet if the client
>address is 1.2.3.4 and the NATted address is 111.122.133.144. Now consider
>what happens if the payload was already of size (MTU-40)...
>
>  
>
>>Last night I managed to get VPN working from my behind my ipcop firewall
>>to our company intranet.  How ip_masq_ipsec.o enables that is PFM to me.
>>    
>>
>
>Presumably you're using the Encapsulation Security Payload (ESP) protocol in
>transport mode to implement your VPN.
>  
>
By this you mean UDP wrapper in a TCP packet?

>If you were using AH, or ESP in tunnel mode, this shouldn't work.
>
>If you try establishing more than one VPN from different clients behind your
>firewall to the same endpoint, that shouldn't work either.
>
>  
>
>>Tom.
>>    
>>
>
>Best Regards,
>Alex.
>  
>






-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.tmdg.co.uk/pipermail/sclug/attachments/20030115/a4a75d7e/attachment.htm


More information about the Sclug mailing list