At 17:03 02/03/01 +0000, Daniel Crichton wrote:
>On 2 Mar 2001, at 17:39, mouss wrote:
>
> > assume my IP address is 10.0.0.1, and that of your router is 10.0.0.1.
> > I can't send you any message, so I can't traceroute over your router.
> >
> > If I can traceroute through your router, then I can ping, telnet and
> the rest.
> > If I can't, there is no reason my traceroute returns your address.
>
>Not quite - with traceroute as you are sending the packets to the end point
>past the router with the TTL set to 1 higher each time then you're not
>actually
>sending data to the router with the private IP,
agreed, but the router is sending me packets back, no?
how do these come to me?
> it's just that at that point the
>router returns the ICMP packet with a source of 10.0.0.1 and if you don't
>have a rule at the firewall preventing this packet coming in then you see it,
>even though you can't actually ping/tracert/connect to that router IP address
>(as the address is in your subnet and so packets don't leave via your
>gateway).
I don't like relying on priv addresses to block threats. While it's not
easy to reach
a 10.1.2.3 router, it's still possible, unless you have things that block,
but then you
can just give it a public addr and block the undesired packets. no?
>The private IP doesn't affect packets going *through* it as your machine is
>simply sending packets to the next router upstream to the destination, it's
>only each host in the route that needs to know how to get it to the next one.
sure, but having the same addr at 2 ends make that hard, if not impossible.
>Everything now makes sense since I've seen the replies on this list, and I
>now understand more about IP than I did before.
that's why we are all here, no?
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
