Re: [Cooker-firewall] CookFire and NAT

[Matthew Zaleski]

I'm no expert at firewalling, but I have been studying internet security off
and on for the last few years.  What in the world will direct translation of
128 IPs to another "hidden" 128 IPs really gain you.  From what I can see,
nothing.  I would still be able to attack you because an external IP will
guarantee me access to a specific machine on the inside.  In addition, once
I broke into one server, I would now have access to the rest unless you do
some heroic lockdown of service on your servers since they are all huddled
together.

Will this private network also have machines that are supposed to be
"invisible" to the net (like personal workstations)?  If so, your servers
should be sitting in one or more DMZ's to minimize disruption and cross
contamination.

Would it not be simpler to just expose all your machines that you want to
have direct access to the internet (and hide the remainder behind a true,
secure firewall)?

Just a few random thoughts spilling out of my brain,

Matthew Zaleski

- Original Message -
From: "Sveinar Søpler" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 03, 2001 3:27 AM
Subject: [Cooker-firewall] CookFire and NAT


> Is it possible to do nat'ing like this :
>
> I have 128 public ip adresses from my ISP. I want to run several servers++
> and want all my machines to use the public ip's i have from my ISP. Also
> when i connect out from one of my machines to external source, like an FTP
> server or IRC server, i want this to be connected "from" my "real" ip, and
> not the firewall ip.
>
> E.g. My "inside" box has ip adress : 192.168.0.100 My external adress
should
> the be nat'ed to 193.212.1.100 (masking away 192.168.0 for 193.212.1) The
> next machine 192.168.0.154 should be 193.212.1.154 and so on..
>
> Is this possible? I have been searching the net for such a solution, but
the
> only usable i get, is "let's say you have one ip... ".. But i have 128!
>
> I want to be able to connect to 1 ip adress for my WEB server, another for
> my FTP server+++, and NOT use "Port mapping" at all.. But the "real"
> adress..
>
> Could someone help me out? Is this a possibility in CookFire?
>
> Sveinar Søpler
> Servicekoordinator
> Tech Computers
> Tlf  : 22896022
> Mail : [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
>
>
>
>

RE: [Cooker-firewall] CookFire and NAT

[Sveinar Søpler]

I have tested Securepoint firewall, and even though I messaged the service
staff there, I did not get any good answer from them about how to set this
up.

The only configuration I was able to see was the "internal net -> 1 ip
adress". It could be that I am totally ignorant here, but I must say that
setting up Windows2000 server after 10 minutes.. Everything I ever wanted
was up and running :)

I know this can be done using Linux.. Of course, but my problem is HOW? :)
The typical "helping hand" in the Linux community is to direct someone to a
"howto" document that contains nothing but old examples for like 2.0.36
kernel.. With lots of links to files that no longer excists.. That will not
do me any good when running e.g. Mandrake 8.0 with 2.4.x kernel.. Right? :)

Remember.. All what I do here has to be documented as seen from an Network
Admin role.. And not something that is impossible to reproduce... It's not
that simple to document patching odd .c files to get the kernel to compile
without errors you know.. :) Should be easier than that...

Sveinar Søpler
Tech Computers AS
Tlf  : 22896022
Mail : [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> 


-Original Message-
From: John Johnson [mailto:[EMAIL PROTECTED]] 
Sent: 3. mai 2001 17:47
To: [EMAIL PROTECTED]
Subject: Re: [Cooker-firewall] CookFire and NAT


IF Mandrake Firewall can't do the job there is a FREE Firewall software that
will, I must say it's not as Nice as mandrake firewall ( I don't think
anything is) but it will do what you want. It's called Securepoint firewall
and they have a freeware version. http://www.securepoint.cc, but don't give
up on mandrake firewall yet I would keep on that because of the ease of use
and how nice it is.

-John

- Original Message -
From: "Sveinar Søpler" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 03, 2001 12:27 AM
Subject: [Cooker-firewall] CookFire and NAT


Is it possible to do nat'ing like this :

I have 128 public ip adresses from my ISP. I want to run several servers++
and want all my machines to use the public ip's i have from my ISP. Also
when i connect out from one of my machines to external source, like an FTP
server or IRC server, i want this to be connected "from" my "real" ip, and
not the firewall ip.

E.g. My "inside" box has ip adress : 192.168.0.100 My external adress should
the be nat'ed to 193.212.1.100 (masking away 192.168.0 for 193.212.1) The
next machine 192.168.0.154 should be 193.212.1.154 and so on..

Is this possible? I have been searching the net for such a solution, but the
only usable i get, is "let's say you have one ip... ".. But i have 128!

I want to be able to connect to 1 ip adress for my WEB server, another for
my FTP server+++, and NOT use "Port mapping" at all.. But the "real"
adress..

Could someone help me out? Is this a possibility in CookFire?

Sveinar Søpler
Servicekoordinator
Tech Computers
Tlf  : 22896022
Mail : [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>

Re: [Cooker-firewall] CookFire and NAT

[Denis HAVLIK]

On Thu, 3 May 2001, philippe Libat wrote:

:~>But, if you have technical skills, you can implement this with ipvsadm
:~>and virtual ip on the firewall, for direct routing configuration

And of corse, you can kindly ($$) ask Philippe to write these rules for
you. .-))

cheers
Denis
-- 
-
Dr. Denis Havlik   http://MandrakeForum.com
Mandrakesoft   ||| e-mail: [EMAIL PROTECTED]
Community (@ @)(private: [EMAIL PROTECTED])
--oOO--(_)--OOo-
The mailserver is on strike. It wants better working conditions,
paid days off and a female connector. ([EMAIL PROTECTED])

Re: [Cooker-firewall] CookFire and NAT

[philippe Libat]

hi,

philippe Libat a écrit :
> 
> hi,
> 
> Sveinar Søpler a écrit :
> >
> > Is it possible to do nat'ing like this :
> >
> > I have 128 public ip adresses from my ISP. I want to run several servers++
> > and want all my machines to use the public ip's i have from my ISP. Also
> > when i connect out from one of my machines to external source, like an FTP
> > server or IRC server, i want this to be connected "from" my "real" ip, and
> > not the firewall ip.
> >
.
> >
> > Sveinar Søpler
> > Servicekoordinator
> > Tech Computers
> > Tlf  : 22896022
> > Mail : [EMAIL PROTECTED] 
> >
> 
> Yes, another good topology and features for the next product.
> 
> If I summary your question:
> 
> you want to make a static adress translation ( public network to private
> network, or n to n mapping ).


Your configuration. with masquerading and virtual ip should work, 

i've tested your architecture.

here is the configuration.

add a config file (depend on your internet interface and external ip
range )
/etc/sysconfig/network-scripts/ifcfg-eth2-range0 
IPADDR_START=193.1.12.49
IPADDR_END=192.1.12.250 
CLONENUM_START=0 

add static forwarding rules in /etc/sysconfig/lvs 
-A -t 193.1.12.49:80 -s wlc
-a -t 193.1.12.49:80 -r 192.168.2.84:80 -m -w 1
.

complete with your forwarding range.


you can modify bastille-firewall.conf and add all your internet virtual
ip in PUBLIC_INTERFACE variable.

This one work fine.


have fun.

> 
> --
> Philippe Libat <[EMAIL PROTECTED]>
> Linux-Mandrake  http://www.linux-mandrake.com
> _
> Think Different, Think Linux

-- 
Philippe Libat <[EMAIL PROTECTED]>
Linux-Mandrake  http://www.linux-mandrake.com
_
Think Different, Think Linux

Re: [Cooker-firewall] CookFire and NAT

[philippe Libat]

hi,

Sveinar Søpler a écrit :
> 
> Is it possible to do nat'ing like this :
> 
> I have 128 public ip adresses from my ISP. I want to run several servers++
> and want all my machines to use the public ip's i have from my ISP. Also
> when i connect out from one of my machines to external source, like an FTP
> server or IRC server, i want this to be connected "from" my "real" ip, and
> not the firewall ip.
> 
> E.g. My "inside" box has ip adress : 192.168.0.100 My external adress should
> the be nat'ed to 193.212.1.100 (masking away 192.168.0 for 193.212.1) The
> next machine 192.168.0.154 should be 193.212.1.154 and so on..
> 
> Is this possible? I have been searching the net for such a solution, but the
> only usable i get, is "let's say you have one ip... ".. But i have 128!
> 
> I want to be able to connect to 1 ip adress for my WEB server, another for
> my FTP server+++, and NOT use "Port mapping" at all.. But the "real"
> adress..
> 
> Could someone help me out? Is this a possibility in CookFire?
> 
> Sveinar Søpler
> Servicekoordinator
> Tech Computers
> Tlf  : 22896022
> Mail : [EMAIL PROTECTED] 
> 


Yes, another good topology and features for the next product.

If I summary your question:

you want to make a static adress translation ( public network to private
network, or n to n mapping ).

This kind of configuration is not yet included in the wed administration
tools of cooker firewall.
We can add this feature in the next product.

But, if you have technical skills, you can implement this with ipvsadm
and virtual ip on the firewall, for direct routing configuration

for more information:
www.linuxvirtualserver.org  

For the masquerading configuration with virtual ip on ethernet interface
, i will test it now and give you an answer. ASAP

-- 
Philippe Libat <[EMAIL PROTECTED]>
Linux-Mandrake  http://www.linux-mandrake.com
_
Think Different, Think Linux

Re: [Cooker-firewall] CookFire and NAT

[John Johnson]

IF Mandrake Firewall can't do the job there is a FREE Firewall software that
will, I must say it's
not as Nice as mandrake firewall ( I don't think anything is) but it will do
what you want. It's called
Securepoint firewall and they have a freeware version.
http://www.securepoint.cc, but don't give
up on mandrake firewall yet I would keep on that because of the ease of use
and how nice it is.

-John

- Original Message -
From: "Sveinar Søpler" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 03, 2001 12:27 AM
Subject: [Cooker-firewall] CookFire and NAT


Is it possible to do nat'ing like this :

I have 128 public ip adresses from my ISP. I want to run several servers++
and want all my machines to use the public ip's i have from my ISP. Also
when i connect out from one of my machines to external source, like an FTP
server or IRC server, i want this to be connected "from" my "real" ip, and
not the firewall ip.

E.g. My "inside" box has ip adress : 192.168.0.100 My external adress should
the be nat'ed to 193.212.1.100 (masking away 192.168.0 for 193.212.1) The
next machine 192.168.0.154 should be 193.212.1.154 and so on..

Is this possible? I have been searching the net for such a solution, but the
only usable i get, is "let's say you have one ip... ".. But i have 128!

I want to be able to connect to 1 ip adress for my WEB server, another for
my FTP server+++, and NOT use "Port mapping" at all.. But the "real"
adress..

Could someone help me out? Is this a possibility in CookFire?

Sveinar Søpler
Servicekoordinator
Tech Computers
Tlf  : 22896022
Mail : [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>

[Cooker-firewall] CookFire and NAT

[Sveinar Søpler]

Is it possible to do nat'ing like this :

I have 128 public ip adresses from my ISP. I want to run several servers++
and want all my machines to use the public ip's i have from my ISP. Also
when i connect out from one of my machines to external source, like an FTP
server or IRC server, i want this to be connected "from" my "real" ip, and
not the firewall ip.

E.g. My "inside" box has ip adress : 192.168.0.100 My external adress should
the be nat'ed to 193.212.1.100 (masking away 192.168.0 for 193.212.1) The
next machine 192.168.0.154 should be 193.212.1.154 and so on..

Is this possible? I have been searching the net for such a solution, but the
only usable i get, is "let's say you have one ip... ".. But i have 128! 

I want to be able to connect to 1 ip adress for my WEB server, another for
my FTP server+++, and NOT use "Port mapping" at all.. But the "real"
adress..

Could someone help me out? Is this a possibility in CookFire?

Sveinar Søpler
Servicekoordinator
Tech Computers 
Tlf  : 22896022
Mail : [EMAIL PROTECTED]