Hi Novi...
>On Thu, 29 Apr 1999, Bruce Stephens wrote:
>
> > Hi Novi,
> > Sorry I haven't replied sooner - just busy!!!
>
>:)
>
> > Masquerading is a wonderful technique for hiding CLIENTS behind a firewall.
> > Now what you want is a VISIBLE server and thus if you masquerade
>your server,
> > it will NOT be visible FROM THE INTERNET (ie requests coming IN to you!)
> > There is no way to SEE your server behind the masquerade - which is
> > the whole idea!!!
>
>/* quibbling ON */
>
>this is not entirely correct .. using packages like ipportfw or ipmasqadm
>you can accept packets on an official ip and forward these to
>maqueraded servers in the internal net.
>
>/* quibbling OFF */
Perhaps but I was referring to a clean firewall without holes.
>
> > So what you have to do is to make the server visible to the outside world
> > by giving it a valid IP address and FORWARDING any reference to it from the
> > firewall. (ipfwadm -F -a accept -S 0/0 -D <valid.ip.address/mask> 80 443)
> > NOW on your DH device, get "them" to allow one specific IP address to
> > come through for you (ie 1.2.3.4 with port 80 and 443 enabled) Using
> > the same IP address as the DH won't work. (Where would the request go
> > to?!)
>
>I think you're partially right, but I don't understand how the following
>is going to work:
>
> packet A (from 1.2.3.4 to 194.231.254.115/28) is arriving at the cisco ..
>the inner interface of the cisco has been bound to the network
>194.231.254.112/28, so the cisco decides that .115 must be on a physical
>connected subnet .. hence it sends an arp request onto the network asking
>for the mac-address belonging to this ip... DH has disabled proxy arp, so
<snip here>
If the device is on the same subnet, then the cisco MUST have its MAC address
by default.
It doesn't matter if the DH disables proxy arps or not - I don't think that
you even need to consider proxy arps.
If the cisco can see the MAC address of the DH input ethernet card,
it will display the MAC address in its host listing. If you can ping
the cisco then
the link at the MAC level is there.
If there isn't a response then
1. The ethernet card is not enabled/misconfigured etc...
2. You haven't added the routes (netstat -r -n)
>there's no response to the arp request so the cisco is generating ICMP
>Host unreachable.. hmmm ...
>
>you think I should enable proxy arp on DH or create a special host route
>to .115 on the cisco?.. am I mising something?
Forget proxy arp!
Routing yes...
Add route for the entire 194.231.254.115/28 subnet
route add -net 194.231.254.11x/28 gw ethx where the cisco address of
112 and the DH address of 115 are within the network(255.255.255.240)
(PS Sorry to the purists who don't like route add ... gw ethx!!!)
I suspect that this is a routing issue now!!!
> > An alternative technique is to run Apache on A firewall/bastion and
> > proxy to specific masqueraded INTERNAL servers (neat trick). This
> > means
> > that the front server becomes your bastion proxy server. Arguably
>dangerous but
> > I personally don't think so. The real servers are hidden from the
>outside world
> > by the masquerade and ALL transaction MUST go through the proxy server.
> > Run SSL on this server too. (We do)
>
>yep .. that would be our compromise when anything else fails ..
>configuring Apache can be THAT tiring.. especially on a neurotically
>ascetic 15Mb system like that found on DH :)
Doesn't have to be big - just one proxy. Nothing else. (no pages)
> > Note that the ethernet "cards" can be just one ethernet card!!!!!! :-)
> > (see IP aliasing)
>
>*YUZZZ* *StopCarvingFreshPCISlotsIntoMotherboard*
>
>thanks a lot for your help, Bruce :)
>
>
>regards,
>
> Michael Mirold
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
