Re: Company Firewall's IP Address

From: Frederick Garbrecht (fgarbrecht@ecogchair.org)
Date: 11/17/02

  • Next message: IDS Guy: "Re: Secure FTP Server Search" 
    From: "Frederick Garbrecht" <fgarbrecht@ecogchair.org>
To: "Bill Hamel" <billh@bugs.hamel.net>, "Meritt James" <meritt_james@bah.com>
Date: Sat, 16 Nov 2002 23:42:03 -0500

    The packets have the firewall's external interface ip as their destination
    ip field; the firewall handles the address translation back to the internal
    host. When you initiate an outbound connection from an internal host, the
    firewall substitutes the 'hide-NAT' address (the firewall's external
    interface address) for your host's non-routable address in the source ip
    field of the ip packet, and the firewall stores the source port 'p' (>1024).
    If the firewall subsequently receives an inbound packet at its external
    interface with a destination port 'p', it associates that port number with
    your host's non-routable internal address and routes the packet accordingly.
    (At least this is how Checkpoint does it).
    Fred
    ----- Original Message -----
    From: "Bill Hamel" <billh@bugs.hamel.net>
    To: "Meritt James" <meritt_james@bah.com>
    Cc: <Leonard.Ong@nokia.com>; <shuffle3@insightbb.com>;
    <tonytorri@yahoo.com>; <security-basics@securityfocus.com>;
    <cisaca-l@purdue.edu>
    Sent: Friday, November 15, 2002 10:42 PM
    Subject: Re: Company Firewall's IP Address

    > Then routing wise, how do the packets find their way back to the firewall
    > if they don't know the source IP ? ?
    >
    >
    > On Fri, 15 Nov 2002, Meritt James wrote:
    >
    > > Such is not the case. I've done otherwise.
    > >
    > > Bill Hamel wrote:
    > > >
    > > > Unless I am missing something in the question, no matter what you do,
    > > > what/whoever you connect to through a firewall will always know the IP
    > > > address of the the trusted interface of the firewall.
    > > >
    > > > -bh
    > > >
    > > > On Wed, 13 Nov 2002, Meritt James wrote:
    > > >
    > > > > "an" IP Address - not necessarily the originating individual. There
    are
    > > > > a LOT of ways around that.
    > > > >
    > > > > Jim
    > > > >
    > > > > Leonard.Ong@nokia.com wrote:
    > > > >
    > > > > > There is nothing new about finding your IP Address and display it
    on the web page.
    > > > >
    > > > > --
    > > > > James W. Meritt CISSP, CISA
    > > > > Booz | Allen | Hamilton
    > > > > phone: (410) 684-6566
    > > > >
    > >
    > > --
    > > James W. Meritt CISSP, CISA
    > > Booz | Allen | Hamilton
    > > phone: (410) 684-6566
    > >
    >

    Relevant Pages

    • Proxy ARP and Routing
      ... some CPE from our ISP connected to a firewall. ... the public IPs on the physical DMZ network. ... packets to the host on the DMZ? ... on the DMZ interface. ...
      (SunManagers)
    • RE: Strange replies on closed port
      ... port should be a RST - not dropping the packet. ... receiving an UDP datagram to a non 'listening' port. ... that message isn't generated by the end host, ... Connecting to a closed Port w/o Firewall: ...
      (Pen-Test)
    • Re: New to IPFW and would like critique...
      ... The firewall ... You log a *lot* of types of connections that aren't particularly ... > # Outside interface network and netmask and ip ... packet coming from a port 53 and going to, say, port 137. ...
      (comp.unix.bsd.freebsd.misc)
    • Re: Strange ICMP packets
      ... >packets being blocked by my firewall. ... use port numbers - ICMP is not one of them. ... IP address is the remote (router or host), ... the system that sent the original packet that caused the problem. ...
      (comp.security.firewalls)
    • Re: [fw-wiz] Rationale for BSD (I)PF rule order?
      ... there are a few papers around on how to evaluate firewall rules ... match for a given packet as early as possible. ... best match rule for a packet is "allow host a to talk to host b", ... what does this allow for in the case of source routed packets? ...
      (Firewall-Wizards)