> At 16:44 15.07.2004 +0300, [EMAIL PROTECTED] wrote: > > >I 've noticed that when installing the default shorewall configuration of= > Bering-* > >there is no block of rfc1918 packets going out to NET .... > >That is traceroute from LOC of any address not included in LOCAL LAN but in= > the RFC1918 range will go out and traverse the net( Default route ). > > Are you tracing the external interface? You should see a masqueraded source= > address there. > > >Who is responsible of stopping this packets ??? > > NAT
OK I shall make this more clear ... I am refering to Destination Address... Supose LOC=192.168.1.0/24 DMZ=NONE NET IF=ppp0=62.12.1.1 ( DYNAMIC ) No other addresses are involved in this hypothetical configuration. Supose a user from LOC LAN and address 192.168.1.4 pings or trace(s)route to 10.0.1.1 which it is not used in local or any other zone .. 10.0.1.1 is DST If an observer in the net zone ( the ISP ) observes packets comming in from source address 62.12.1.1 tcpdump -i someif0 src address 62.12.1.1 She will see these ping or traceroute packets with the following characteristics. SRC=62.12.1.1 DST=10.0.1.1 Am I right or am I right ??? So we have a packet destined to a private address space looking around the internet to contact address 10.0.1.1 ( noise ). So let me repeat Who is responsible to stop or drop or kill this packet ????? The ISP or The firewall admin ??? Best Regards Harry ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
