> At 09:42 18-2-00 -0500, you wrote:
> >> Hello,
> >>
> >> I have a router/firewall with ipchains which protects the internal novell
> >> 3.12 network. This works perfectly. However, I do find a lot of denies in
> >> the logs which I cannot explain. These are the following log entries:
> >>
> >> output DENY ippp0 proto=6 195.86.4.71:61041 194.151.216.202:80 L=569 S=0x10
> >> I=64784 F=0x4000 T=31
> >
> >This is part of an ongoing http connection, probably from a box using IP
> >masquerading. Maybe from the firewall/masquerading box.
> >
> >>
> >> and
> >>
> >> output DENY ippp0 proto=17 195.86.48.17:1024 192.112.36.4:53 L=61 S=0x00
> >> I=354 F=0x000 T=64
> >
> >This is a DNS (reply I think). Is 195.86.48.17 one of your DNS servers?
>
> Sorry I should have been more specific. The router/fw uses maquerading
> indeed. The router/fw dials into the ISP's server, which dynamically
> assigns an IP address. The DNS IP's are 194.165.94.1 and 194.165.94.5. My
> guess is that the source numbers in the log entries are the dynamically
> assigned IP addresses. I am also running a caching only nameserver. Could
> this log entry be the caching only nameserver trying to resolve an address?
That depends on what the IP address of the caching-only nameserver is.
[snip]
> I thought IP masquerading only changes the IP address of the data packets.
> So what does it need the high port numbers for? If it would change the
> portnumber of every data packet, I would not be able to make an internet
> connection at all.
It takes outbound packets from the masqueraded boxes inside your firewall
and re-writes the packet headers so they all look like they came from the
firewall itself and then sends them to the outside world. To properly sort
out the returning packets, a table is made of which packet went out on which
port (netstat -m). That way when the reply comes back, a simple lookup
tells which of your Linux boxen to send the reply to.
IP masquerading does use high port numbers to connect to the outside world.
This does break certain things like FTP, ICQ, IRC, etc. which embed the
origin IP within the packet. For these problems there are loadable kernel
modules such as ip_masq_ftp, ip_masq_irc, etc. (IIRC). These reach into the
packet where the ip is embedded and change them too. I may be over
simplifying the modules, but hey!
> Thanks,
>
> Robert-Jan
[snip]
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
