Re: [masq] [masq] Masquerading minimum

1999-02-05 Thread Sandy Harris 

[EMAIL PROTECTED] wrote:
 
 On  4 Feb, Fuzzy Fox wrote:
 
   118.136.195.151
  +-+internet   ++
  | ISP |---| GW |-- to other 44.x.x.x hosts
  +-+   ++
  |
  | ppp0 (205.1.1.20) 44.80.42.1
   ++   (192.168.1.2)  ++
   | Linux Masq |--|  JNOS  |--- local net
   ++ slip0 (192.168.1.1)  ++  44.80.42.0/24
 
  I like pictures.  They describe things so succinctly.  :)

[big snip]

 Here is my bare bones ipfwadm test setup that I have in rc.local.
 In simplest terms, I want anything FROM JNOS passed to GW  to appear to
 use the Linux dynamic IP address

Why on earth do you want that?

Shouldn't you bypass masquerading here and let gateway see packets from
44.80.42.*? Tell the masq box not to masquerade those, just send them on
to the ISP.

You would then need routes saying:

GW:   route to 44.80.42.0 via 205.1.1.20
Masq box: """ 192.168.1.2

Two catches. One is that the first routing thing above needs to be in
the
DNS of whoever owns the 44.80.* domain; you can't do this yourself. The
other is that this handkes packets from 44.80.42.* correctly but not any
packets that JNOS creates with a 192.168.1.2 in the source IP header
field. I don't even know if a solution is possible for them, let alone
what it might be.

-- 
"The real aim of current [cryptography] policy is to ensure the
 continued effectiveness of US information warfare assets against
 individuals, businesses and governments in Europe and elsewhere" 
   Ross Anderson, Cambridge University
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]

Re: [masq] [masq] Masquerading minimum

1999-02-02 Thread wf3r 

On  1 Feb, Fuzzy Fox wrote:

 The exact nature of your question is not clear to me, since you have
 mentioned so many different connection points that I don't understand. 
 However, if you mean "Can a person on the global Internet telnet
 directly to one of my boxes on my private LAN?" the answer is NO.  The
 only way you can allow that to happen is by setting up port forwarding.

I'm sorry I'm doing such a poor job of asking these questions. It's due
in part to my trying to avoid explaining the applications use and
nature since most of that is unimportant. Let me take another shot at
it this way. The application is a program that communicates with TCP/IP
protocols and ports, just like Linux. The application is called JNOS.
Now here is what I have in the simplest terms I can come up with.

My Linux kernel makes a ppp connection to my provider and gets a
dynamic address. Lets say it's 205.1.1.20.

My Linux kernel has an internal SLIP link to this JNOS application.
The Linux end of this SLIP link uses 192.168.1.1
The JNOS end of this SLIP link uses 192.168.1.2
They both can communicate with each other (ping, ftp, telnet, etc.)

I have the following bare minimum (for testing only) in my rc.local
file

#
echo Starting ipfwadm firewall...
#
# flush
ipfwadm -F -f
ipfwadm -I -f
ipfwadm -O -f
ipfwadm -I -a accept
ipfwadm -F -a accept
ipfwadm -O -a accept
# allow my lan access to all dests
ipfwadm -F -a m -b -S 192.168.1.0/24 -D 0.0.0.0/0
#

This allows my JNOS program using 192.168.1.2 to access the internet via
the Linux ppp0 connection. This works fine as far as I can tell and I
assume that the masquerading is actually sending the packets out using
my 205.1.1.20 dynamic address and when packets come back in, they are
being directed to my JNOS program to it's 192.168.1.2 address (based on
the above ipfwadm parameters).

Now my question is... My JNOS program contacts a computer on the
internet (using this masquerading) and tells it to contact me at my
currently used address (with masquerading this would look like the ppp0
addres?). If that computer at the distant end now initiates a telnet,
ping, ftp, intended to reach my JNOS program, how can I have my JNOS
program receive this incoming packet? Is it possible to redirect ALL
packets coming in from just that one distant computer on ppp0 so they
are always passed to my JNOS application?


-- 
Scott Felton - Mount Joy, PA USA
Slackware Linux v.3.6.0
[EMAIL PROTECTED]
http://www.k3ir.ampr.org


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]