FW: [sclug] Firewalls

Tom Dawes-Gamble tmdg at hp.com
Sat Oct 25 09:05:31 UTC 2003 

lug at assursys.co.uk wrote:
> On Wed, 15 Jan 2003, Tom Dawes-Gamble wrote:
> 
> 
>>lug at assursys.co.uk wrote:
>>
>>>On Wed, 15 Jan 2003, Tom Dawes-Gamble wrote:
>>>
>>>
>>>>tim wrote:
>>>>
>>>>
>>>>>2. Could not seem to get the NAT working on ipcop. My local addresses
>>>>>192nnnnnn seemed to leak out into the net, which seemed good in some ways
>>>>>in that sites thought my ip address was 192 etc, but bad in the fact that
>>>>>I was not doing it deliberately and I am sure its not good generally.
>>>>>
>>>>
>>>>Strange.  I would have thought that if your 192. adddress leaked
>>>>out then the connection would fail since the remote end would not have a
>>>>route to your 192.
>>>
>>>
>>>I agree entirely. Of course, it's entirely possible that the Tim was
>>>referring to, say, a website that uses a bit of Java(Script) to determine
>>>the end-client's IP address. That won't be detected or NATted by any of the
>>>NAT solutions I've come across...
>>
>>Yes,  but NAT sould only change the envelope part of the packet and not the
>>contents.
> 
> 
> That depends. It's impossible to get some protocols (non-PASV FTP being the
> most notable) working without modifying the payload. Yes, this is prone to
> error - consider what happens to the size of the packet if the client
> address is 1.2.3.4 and the NATted address is 111.122.133.144. Now consider
> what happens if the payload was already of size (MTU-40)...
> 

That's not a nice exercise to leave to the reader.  :-)
Though my guess is

MTU - 40 = MTU - Envelope

then in the envelope 1.2.3.4 would be 00000001 00000010 00000011 00000100
          and 111.122.133.144 would be 01101111 01111010 10000101 10010000

in that case the envelope does not change size.

I have never looked at things at that level so I could be talking from
the wrong orifice.

> 
>>Last night I managed to get VPN working from my behind my ipcop firewall
>>to our company intranet.  How ip_masq_ipsec.o enables that is PFM to me.
> 
> 
> Presumably you're using the Encapsulation Security Payload (ESP) protocol in
> transport mode to implement your VPN.
> 

How should I know?

I just followed the ipcop FAQ:-

  How do I connect a IPsec client behind IPCop to a remote IPSec Server?

It worked first time. :-)  Since I connect my laptop to my private intranet
using wireless network I can now sit in the garden and work without trailing 
wire all over the place.

Tom.





-- 
There are 10 sorts of people.
Those that understand Binary and those that don't.

More information about the Sclug mailing list