On Tue, 12 Nov 2002, tony tony wrote: > I was doing security research on the internet at work yesterday....when all of > a sudden I got a pop up advertisement that stated that I was broadcasting my IP > address to the entire internet. It then showed a screen with my IP address > which was the the external IP interface of one of our companies firewalls. > > It just bothers me that someone would be able to determine the IP address of > our firewall that easily. It seems to me that our firewall should operate in a > more stealth mode. Our firewall administrator said it is not technically > possible to do this. What is your take?…I am not a checkpoint firewall guru…so > I do not know. All I know is that if I was a hacker, I would love to hammer > away on an ip address that represented a firewall.
Its basically hogwash. Somewhere in the headers of most tcp/ip packets is a space for the source IP address. This is a good thing, because thats how the protocols return answers to you -- ie: you open a webpage, it sends back text and graphics; you ssh into a box, you get text output, you ping (icmp echo request) a box, it answers (icmp echo reply). In your case, I'd hazard a guess that the Checkpoint is doing some proxy or ipmasqing, which means it rewrites the source ip address to its own external interface and sends it along, keeping state of who asked for what. When it gets the answer back, it rewrites things again, and passes it back to you. So, without the Checkpoint, this website would have returned your system's IP address, assuming its in the public IP ranges. With the Checkpoint masq'ing you, the website reported its IP address. There are some firewalls, (ipf packet filter comes to mind) that can operate more stealthily, but ... either way, its gonna get an IP address out of it. :P -- -- John E. Jasen ([EMAIL PROTECTED]) -- User Error #2361: Please insert coffee and try again.
