Try to think in terms of what is giving uniqueness to such a
communication "link" (at the UDP/TCP level - in your case TCP)?
The answer is the uniqueness of an "identifier" made out of two
pairs of values:
(1st pair) source IP address and source TCP or UDP port
(2nd pair) destination IP address and destination TCP or UDP port
So - first - what's common in this group in your case?
- source IP (we are talking now about your NAT device
communicating to the web server, thus it being the source) - you
figure it out already - same for all (you use dynamic NAT, with
unique address hiding all internal ones)
- destination IP - same for all (the IP address of the web server)
- port - same for all (TCP 80 for http)
So - what's left which can uniquely identify your sockets pair? - the
source port - so your system has to pick every time another port,
and keep a table which maps the original IP address from inside,
and the client original port, to this unique port created for each
incoming connection request.
HTH
On 8 Jun 2000, at 19:55, [EMAIL PROTECTED] wrote:
> I am (trying ) to configuring IP masquerading for a firewall.
>
> I dont understand how the following occurs.
>
> Trying to setup a firewall with 2 nics ,
> 1 , an external nic with a valid internet address of ZZZ.Z.Z.201
> 2, an internal nic with a private lan number of 192.68.x.11
>
> behind the firewall are, 5 workstations with private lan numbers of
> 192.68.1.101-105
>
> What happens for the following circumstance ,
> all 5 workstations send 2 independent web requests to yahoo.com ?
>
> As far as i can reason - each workstation is seen by the internet as
> zzz.z.z.201.
> This is the ip masquerading at work.
> So yahoo receives 10 requests from .201 and responds to all of them.
>
> Yahoo.com webserver responds to .201 with 10 responses, all destined for the
> .201 address.
> Somehow the firewall must be able to determine not only which machine to send
> it to, but which session.
>
> How does the masquerading firewall machine know
> which response goes to which mac address/ip address combination,
> and not only which machine , but which session per machine.
>
> Can anyone help me tp understand what goes on in this situation,
> or point me to a beginners URL that will explain this to me.
>
> Thanks in advance.
> RW
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
