On Thu, 29 Apr 1999, Bruce Stephens wrote:
> Hi Novi,
> Sorry I haven't replied sooner - just busy!!!
:)
> Masquerading is a wonderful technique for hiding CLIENTS behind a firewall.
> Now what you want is a VISIBLE server and thus if you masquerade your server,
> it will NOT be visible FROM THE INTERNET (ie requests coming IN to you!)
> There is no way to SEE your server behind the masquerade - which is
> the whole idea!!!
/* quibbling ON */
this is not entirely correct .. using packages like ipportfw or ipmasqadm
you can accept packets on an official ip and forward these to
maqueraded servers in the internal net.
/* quibbling OFF */
> So what you have to do is to make the server visible to the outside world
> by giving it a valid IP address and FORWARDING any reference to it from the
> firewall. (ipfwadm -F -a accept -S 0/0 -D <valid.ip.address/mask> 80 443)
> NOW on your DH device, get "them" to allow one specific IP address to
> come through for you (ie 1.2.3.4 with port 80 and 443 enabled) Using
> the same IP address as the DH won't work. (Where would the request go
> to?!)
I think you're partially right, but I don't understand how the following
is going to work:
packet A (from 1.2.3.4 to 194.231.254.115/28) is arriving at the cisco ..
the inner interface of the cisco has been bound to the network
194.231.254.112/28, so the cisco decides that .115 must be on a physical
connected subnet .. hence it sends an arp request onto the network asking
for the mac-address belonging to this ip... DH has disabled proxy arp, so
there's no response to the arp request so the cisco is generating ICMP
Host unreachable.. hmmm ...
you think I should enable proxy arp on DH or create a special host route
to .115 on the cisco?.. am I mising something?
> An alternative technique is to run Apache on A firewall/bastion and
> proxy to specific masqueraded INTERNAL servers (neat trick). This
> means
> that the front server becomes your bastion proxy server. Arguably dangerous but
> I personally don't think so. The real servers are hidden from the outside world
> by the masquerade and ALL transaction MUST go through the proxy server.
> Run SSL on this server too. (We do)
yep .. that would be our compromise when anything else fails ..
configuring Apache can be THAT tiring.. especially on a neurotically
ascetic 15Mb system like that found on DH :)
> Note that the ethernet "cards" can be just one ethernet card!!!!!! :-)
> (see IP aliasing)
*YUZZZ* *StopCarvingFreshPCISlotsIntoMotherboard*
thanks a lot for your help, Bruce :)
regards,
Michael Mirold
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
