Hello,
On Thu, 6 Jul 2000, mouss wrote:
> At 09:37 06/07/00 +0930, Ben Nagy wrote:
> >I'm not an IPChains guru by any stretch of the imagination, but...
>
> Nor am I, I have to confess!
Neither am I, so we are three :-)
> >I suspect the problem lies with the RedHat box not knowing to answer ARP
> >queries for the IP address it's providing a NAT mapping for. You could check
> >this with tcpdump - look for lots of arp requests for the public IP which
> >aren't getting answered.
>
> I don't think ARP is needed here. for externl hosts, there should be an
> explicit route that
> at sometime arrives on the firewall. then, the packets should be translated
> by this FW.
> So, none needs to know the MAC address corresponding to the second address.
> ARP would only be needed in a situation like when the FW protects hosts
> using addresses
> that are in the same network as those of other hosts. But this should be a
> rare situation.
External hosts doesn't need to know the MAC address of the server, but the
gateways do: when the router receive packets for that IP it does need to
know how to route them, with a static routes or directly knowing its MAC
address.
The solution you pointed out (static routes) could work too, in fact this
is one of the three way to make static NAT work.
- The first is to add the ARP for that address on the right side of the
firewall, and i think it's the better solutions because sort of universal.
- The second is to fill routers' arp cache with the correct MAC<->IP
entry, it could be a headhache if you have a lot of router/gateways.
- And the third is the one you mentioned: add static routes on the
involved routers with the firewall as a gateway for that ip, i.e.:
ip route 193.55.43.131 255.255.255.255 193.55.43.1
With the first address the one statically NATted, and the last one to be
the FW's IP.
The last solutions depends on how the firewall works: with FW-1 it's ok,
dunno with ipchains. Try and discover.
When i say that it depends, i mean that we must know what the firewall
does when it receive that packed to be directed to the NATted host.
In sum, i think "arp -a" will help.
Best regards,
--
Lorenzo Lazzeri
Intesis SpA - SECURITY LAB Phone: +39-055-3024680
Via Volturno, 10/12 Fax: +39-055-300545
I-50019 Sesto Fiorentino (FI) Email: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
