On Fri, 2 Jun 2000, Alan Mead wrote:
> I don't know what a PIX is... but if I understood Duncan correctly, his
PIX - Cisco PIX firewall. Black box with twin NICs and a version of
Cisco's IOS. Does NAT, PAT etc.
> internal LAN was using the an IP address space that he doesn't own (Duncan,
> is this correct? this the crux, yes?). These machines were being serviced
> by an IP Masq firewall that translated from their IP addresses to one
Correct to a degree. When the internal netgwork was originally
numbered, it was done with IPS not reserved for LANs. The entire
network is translated via NAT to one IP for the rest of the world,
other than servers, which also have conduits mapping their internals
to specific externals, with port restrictions.
> legitimate IP address. His machine is a web server and (whatever
> port 22 services) and the firewall is configured to expose his
22 - Secure Shell :)
> curious about the details of this but I assume that he has a single
> interface that is connected to his LAN.
Correct.
> Anyway, he asked how to use IP chains to block all outside traffic except
> ports 22 and 80 and allow all internal traffic.
> Duncan, if this is correct, I don't think you can distinguish internal and
> external traffic on your machine. This has to be done at the border
I think it may be possible to determine internal and external traffic
by the address. I need to get someone to ping me while I have tcpshow
running though, that way I can look at packets as they flow :)
> Or, you could just trust all traffic from the IP space of your
> internal LAN and hope no one who really owns that space attacks.
You've just found the problem with using "real" IPs on an internal
network. If a host outside your masqd network has an IP that is
inside of your network, you can never reach that host. I'm not sure
about the other way around with the conduits. I _think_ that if an
external host with the same IP as a server on the inside requests
something from the inside host, it gets through fine, and receives an
answer fine due to the way the PIX does the translation.
--
Duncan Hill Sapere aude
My mind not only wanders, it sometimes leaves completely.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
