Its kind of tricky. I know my explanation was not great, but without a
diagram its kind of tough.
I will try to diagram out a test network here:
[ router ] 192.168.4.1 ------- 192.168.4.2 [ext. GNAT Box prot.]
192.168.1.1
|
|
|
|
|
|
Internet
192.168.1.2
|
[server]
|---------------------------------
[client]192.168.250.1--------192.168.250.1
I hope my ASCII art turned out OK. The default gateway for the client is
the router (they are connected via a tunnel over the internet), so all
requests are forwarded through the router. The router NAT's and services
the request. But essentially, what the firewall gets is information from an
IP on the internet (lets say www.gta.com) destined for the client at
192.168.250.1.
We want to be able to forward all traffic through GNATBox, and simply filter
out any traffic destined directly for the server. ie: anything to
192.168.1.2 DENY. anything else, forward through, with 192.168.1.2 as the
gateway.
-----Original Message-----
From: Paul Emerson [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 25, 2000 10:13 AM
To: John Graumann
Cc: [EMAIL PROTECTED]
Subject: Re: Allow everything through
Where is the client 192.168.250.1 located? Because it is not on the
Protected side of the firewall so it must be on the External side.
So where is 198.163.1.10 located? I don't see where it would be
located in your information, so I can only assume it is also on the
External network.
>
>I need help with a specific configuration. We are adding a GNATBox
firewall
>to a system with a client server configuration. It is asymetric, in that
>requests come in one way, and go out the other way. On the client side,
all
>requests for web access go to a router, where they are serviced and passed
>onto the server, which essentially forwards them back, among other things.
>The server we want to put behind the firewall. The problem is that from
the
>server (and the firewall's) point of view, all traffic destined for the
>clients comes in on the external NIC, and is unsolicited. How do I set up
>GNATBox to allow this unsolicited traffic through, so that the server can
>forward it through. Keep in mind, this is not traffic estined for the
>server, but back to the clients. The server is merely the gateway to the
>clients.
>
>We have tried a variety of things, but the packets are denied:
>
>IP address of the server 192.168.1.2
>IP of the protected firewall 192.168.1.1
>IP of the external firewall 192.168.4.2
>IP of the router NIC where the traffic comes from 192.168.4.1
>IP of the client 192.168.250.1
>
>Client makes a web request for 198.163.1.10. It goes through the internet
>through a tunnel to the router. The router services the request, and passes
>the data to the server through the firewall. We get this error:
>
>Possible Spoof -> 198.163.1.10->192.168.250.1
>
>We are testing this with GNATBox light.
>
>----------------------------------------------
>To Unsubscribe: send mail to [EMAIL PROTECTED]
>with "unsubscribe gb-users your_email_address
>in the body of the message
--
----------------------------------------------------------------------------
Paul Emerson Tel: +1.407.380.0220 x106
Global Technology Associates, Inc. Fax: +1.407.380.6080
3505 Lake Lynda Drive Mobile: +1.407.310.8563
Suite 109 Email: [EMAIL PROTECTED]
Orlando, Florida 32817 USA Web: http://www.gta.com
Mobile Email: [EMAIL PROTECTED]
----------------------------------------------------------------------------
