Ok... Here's how they do it... User has a modem, connects to ISP.. get's IP of 1.2.3.4
User loads Sat Program to use the Sat's downstream. Sat program logs into DirectPC's "network" with their (the users) site ID Direct PC then sends an IP Address to the sat recvr, the sat recvr tells the users computer: Hey, They just gave me the IP of 7.3.5.6 Sat program now controls user's TCP/IP stack... User goes to www.blah.com the TCP Session will look something like: 7.3.5.6 -> SYN -> www.blah.com (using modem) www.blah.com -> ACK -> 7.3.5.6 (using sat) 7.3.5.6 -> SYN-ACK -> www.blah.com (using modem) 7.3.5.6 -> [data packet of get] -> www.blah.com (using modem) www.blah.com -> [data packet value of get request -> 7.3.5.6 (using sat) Just a normal, basic TCP session (steps might be wrong, it's late and I'm going off memory) Now, keeping in mind this is a one way customer, meaning they use the ISP for the upstream, and sat network for their downstream. (aka async route because w/ the upstream route differs from the downstream route of the packets) With that laid out... The sat program (which controls the users TCP/IP stack), sends out all TCP/IP packets with the source address of 7.3.5.6 out of the users modem interface, which has the IP Address of 1.2.3.4 So... if 1.2.3.0/24 is your network.. and in your firewall, you have the following statements: =============================== block in inet from any to any block out inet from any to any pass in on if0 inet from { 1.2.3.0/24 } to any keep state pass out on if0 inet from any to { 1.2.3.0/24 } keep state ================================ which will keep spoofed IP addresses from leaving your network and entering your network. So, since 7.3.5.6 isn't in your network, it get's the default of block.... If the user wants to use their sat connection, you have to do one of two things. 1) know their IP Addresses that they give to their users. 2) don't block spoofed packets and hope a hacker dosn't take over one of your customers machines/servers and turn it into a zombe... Does everyone understand how those one way sat connections works now? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of jolan Sent: Wednesday, December 18, 2002 9:08 PM To: Shawn Mitchell Cc: [EMAIL PROTECTED] Subject: Re: directpc.com question... (deals with pf... ) On Wed, Dec 18, 2002 at 08:09:15PM -0600, Shawn Mitchell wrote: > That's why I'm blocking those Winblows ports... I know what they are.. > but it's just the pure number of full network scans attempted. well, that's what worms do. i can't say i'm surprised. > I'm not talking about their website IP Address... your correct in that > they have a modem for upstream, and that dish for downstream. i'm not talking about their website ip address either... > If a packet with a source address that is not one of my IP Addresses or on > RFC1918 tries to leave my internet interface... it's killed... I do that on > purpose as I don't want broadband users having their machines turned to > zombies, or their 12 year old kid finding a "cool" script. uh. how does this tie in with direcpc users? are direcpc users using your dial-up service for their upstream? > Their site say's Earthlink... but they say their an Ecorp company or > something... ecorp could be earthlink corporation... > What happens if they are using RFC1918 addresses? I've been seeing a LOT of > 10 dot traffic trying to exit... and also hit my DNS servers. they should be using direcpc's dial-up service, not yours. > If their using 10 dot addresses (which is stupid), I'm ok with allowing > it... IF I know all the places that it's suppose to goto. uh. how is it supposed to get delivered? most places drop packets destined for private networks. > It just pisses me off when you spend an hour on their tech support line, and > they say "We can't give you those addresses for security reasons" I'm just > like.. ok.. my network.. I see all the traffic anyway... After that, he > kept telling me that "No, we're not blocking anything" me: "No, I need to > know your IP Address's Blocks. They'll be something like a 1.2.3.4/20 or > something like that" him: "No, we're not blocking any ip addresses" if you see all the traffic, then do a lookup on arin.net to find the blocks allocated to them..? - jolan