Welp, there are basically 2 scenarios:
1) If I use the Masq, as long as it has a route
to the originating machine, it sends it there.
2) if it has a default route, it'll go there instead.
BGP either has the route information to the inside
net, or it doesn't. If so, the route works, whether 0 hops
or 100. Any other algorithm is the same. If the gateway
has a false (non-workable) route to that network address,
then you're screwed - it'll spit bad packets to a different
router.
--
Bill Eldridge
Radio Free Asia
[EMAIL PROTECTED]
-----Original Message-----
From: Andrej Todosic <[EMAIL PROTECTED]>
To: Bill Eldridge <[EMAIL PROTECTED]>
Cc: Michele Nicosia <[EMAIL PROTECTED]>;
[EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Wednesday, June 10, 1998 10:29 PM
Subject: Re: [masq] [masq] IPFWADM -question 2
>i dont want to sound rude but i do know what masquerading is :)
>
>
>
>what i meant is you cannot ping from the internet a box behind a
>masqserver
>
>think for a sec :
>
>ping 192.168.0.1
>
>no router has a default gateway for this ( on the internet ) it will go as
>far as the first BGP router . then it will stop right there
>cause bgp has no gateways it actually contains all the routing tables in
>memory .
>
>now if you had on your box specified :
>add route 192.168.0.0 gw ip.address.of.masq.server
>
>then it would be working if all the routers bewtween you and the box would
>allow source routing .
>
>
>router will say :
>
>why do you wont me to take you to your gateway when i know which gateway
>is best for you anyway ? piss off .
>
>
>
>
>
>Andrej Todosic
>Operations Analyst
>[EMAIL PROTECTED]
>
>
>On Wed, 10 Jun 1998, Bill Eldridge wrote:
>
>>
>>
>> >IF I UNDERSTAND YOU RIGHT YOU WANT TO MASQUERADE THE INTERNET ON YOUR
LAN
>> >
>> >FOR THAT you have to allow masquerading
>> >BUT
>> >you also have to use your linux box as a gateway for your network
address
>> >( destination)
>> >
>> >this is called source routing and any sain admin especially big isp 's
are
>> >for security reasons configured to drop source routed frames
>>
>>
>>
>>
>> >so for this to work you most likely have to be 0 hops away from the
linux
>> >box
>> >
>> >thats all if you have private ips on you local lan .
>> >
>> > otherwise if they are public then you dont need masq you can use
>> >firewalling features just fine
>> >
>>
>>
>> No, this isn't source routing. Masquerade simply lets a Linux box
>> handle all the conversations with the internet in a very legal, secure
>> manner, just as a company might have a few public numbers and
>> lots of private extensions. All traffic going to the internet carries
>> the Masq Linux box's ID, and it's up to that Linux box to pass the
>> return traffic on to the correct internal destination, by keeping track
>> of port assignments.
>>
>> You can run various routing protocols internally, including gated,
>> rip, or just static routes, and you don't have to be within 0 hops
>> of the Linux box. The Linux box just has to know how to get to
>> you.
>>
>> You should be able to set up rules on the masq box to pass
>> certain IP ranges on both sides through without doing masquerading.
>> However, the external machines will then need to know the route
>> to the internal machine addresses, something that's not needed
>> if traffic is Masq'ed.
>>
>> >
>> >> Hi all,
>> >> i'm looking for some solutions to this problem with IPFWADM.
>> >> i have two nic on a linux machine that act as routr and firewall.
>> >> eth0 is internal on the network 128.1.1.1 for example, eth1 is
>> >> external 10.1.1.1.
>> >> Well when i try to reach from a pc on to the external network an
ip
>> >> on the internal , and in this case i do not need the masqeade, it act
as
>> >> for the internet masquerding the ip of any pc on the eth1.
>> >> Is it possible to masquerade all the internet 0.0.0.0/0 less than
>> >> 128.1.1.1, i do not want to reject or deny to this adddress, it is
only
>> >> need to have a connection direct, without masqerade.The table routing
is
>> >> correct for than ip the router is not the ppp0 interface but a real gw
>> >> on the internet.
>> >> Now i'm trying with the reject but like i say it is not for me
purpose.
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
