On Wed, 14 Feb 2001, Brian Kimsey-Hickman wrote: > Date: Wed, 14 Feb 2001 09:22:28 -0500 > From: Brian Kimsey-Hickman <[EMAIL PROTECTED]> > To: Michael Wood <[EMAIL PROTECTED]>, [email protected] > Subject: RE: FW: Help! ipmasqadm problem - Help its still not working > Resent-Date: Wed, 14 Feb 2001 15:23:54 +0100 (CET) > Resent-From: [email protected] > > Thanks, for the advice. Actually I do need to MASQ both incoming and > outgoing packets. I have not mentioned this in previous postings but this > new firewall is set up on a second T-1 line. I have an old T-1 and firewall > that will be dropped a few weeks after this one is up. If I don't mask the > incoming then when the web server responds the routers will send that > traffic out through the old T-1. In the final product I was going to set > the forward policy to DENY or REJECT and have two lines that would MASQ port > 80 incoming and outgoing. After the old T-1 is dropped then that could be > changed. I had not thought of it before you mentioned it but is it possible > to MASQ both incoming and outgoing? > > Thanks for the input,
Here are my thoughts about your problem: 1) You can't solve routing problems with firewall rules. 2) You do NOT need IP masquerading with portforwarding in any case. The reply to a forwarded packet will be sent back to the forwarding host not to the original source address. Read /usr/doc/netbase/ipmasqadm/README.portfw.gz (at least on Debian;-) for details. 3) When you masquerade incoming packets you don't have a "wide open firewall", you have something worse than no firewall at all. You are preventing attackers from being recognised. The only case an external packet is masqueraded is when it has a destination address in your internal network. As you use private addresses for these networks which are never routed across networks this can only be the case if someone manually routes it to your external interface. Who else than an attacker would do that? HTH manolo -- PGP and GnuPG public keys available at http://germany.keyserver.net PGP: 24B81049 Fingerprint: D7 10 EE 2B 74 16 C0 64 B4 5F BA B2 90 29 3D AF GPG: 6B299971 Fingerprint: A598 A41F 57A3 5D69 83D2 8027 1274 F8CD 6B29 9971 +++ United States of America ... where you can get elected with less votes +++
