On Mon, 6 Sep 1999, Ben Nagy wrote:
> If the Watchguard if performing NAT on a dynamic basis (only possible way if
> it's just one external IP, right?) then why the hell is it routing packets
No, it's most probably performing IP Masquerading, which (as far as I
recall) simply rewrites the headers for outbound and inbound packets for ICMP.
Watchguard is Linux isn't it?
> for random internal addresses? In other words, if my host (say 192.168.1.4)
> hasn't sent any traffic to the outside world, I DON'T expect a packet to
> arrive at the firewall, ask for my machine, and have a red carpet rolled
> out.
It shouldn't be.
> Someone reassure me that this box is either misconfigured or that the poster
> is Just Making It Up?
I doubt they're making it up, but I would say the box is misconfigured,
by the vendor or the user isn't clear. It would appear that IP routing
is on, and there are no effective rules for blocking spoofing to the
outside NIC and/or that ICMP masquerading isn't written as well as it should
be. If (and I have no idea) Watchguard requires IP routing, then more
filtering needs to be going on than is. In either case, filters on the
external interface would take care of the issue.
> # route add -net 192.168.0.0 netmask 255.255.255.0 gw
> 100.100.100.100
>From the DMZ *only* this would work, in normal cases, getting packets with a
destination address of 192.168.x.x or any other RFC1918 address to
the external NIC would be more challenging (assuming no IP source routing.)
Places using legal addresses internally would be the only ones vulnerable
to this from the Internet.
This is one of the reasons I prefer to have a router between the DMZ that
externally accessable hosts sit on and the outside NIC(s) of the firewall
with the default routes outbound - besides the extra packet screen, it's
not easy to throw junk at the external firewall interface. Wonder if
frames directed at the internal MAC address also pass?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
