Re: Company Firewall's IP Address

From: Bill Hamel (billh@bugs.hamel.net)
Date: 11/19/02

  • Next message: Quentin Hartman: "Domain login through a NAT / FW?"
    Date: Tue, 19 Nov 2002 09:46:23 -0500 (EST)
    From: Bill Hamel <billh@bugs.hamel.net>
    To: Meritt James <meritt_james@bah.com>
    
    

    Ya know, if I didn't know any better I would think this thread is going in
    the direction of confusing the 'basic-security' reader.

    A. At the routing level packets will ALWAYS go to the next-hop which may
    not be the final source or destination, so the first part of your
    statement makes some sense.

    B. The second part does not make sense. What does "Extrapolate proxies"
    have to do with how something is going to route on the net ? Since this is
    a Basic-Security forum, please enlighten me. I am always willing to learn
    something new.

    The original user had a window pop up in a browser that showed him the IP
    address of the external interface of the firewall.

    This is absolutely normal if you "Extrapolate" what is going on.

    The user opens up his/her browser on their desk top. Their desktop has an
    internal IP address. The firewall translates this into and Externally
    routable IP address which lives on the external interface of the firewall.

    Once that packet is fired off to it's destination it typically goes
    through multiple hops (see "Traceroute") to get there. It needs a return
    path back to the external interface of the firewall hence the IP address
    MUST be available to the destination.

    IMHO a "Proxy" has nothing to do with this see "Basic Routing Principals"
    ;)

    -bh

    On Mon, 18 Nov 2002, Meritt James wrote:

    > The packets do not have to go directly to the source IP. They have to
    > get to something that can get them to something... that can get to the
    > source IP. Extrapolate proxies.
    >
    > Jim
    >
    > Bill Hamel wrote:
    > >
    > > Then routing wise, how do the packets find their way back to the firewall
    > > if they don't know the source IP ? ?
    > >
    > > On Fri, 15 Nov 2002, Meritt James wrote:
    > >
    > > > Such is not the case. I've done otherwise.
    > > >
    > > > Bill Hamel wrote:
    > > > >
    > > > > Unless I am missing something in the question, no matter what you do,
    > > > > what/whoever you connect to through a firewall will always know the IP
    > > > > address of the the trusted interface of the firewall.
    > > > >
    > > > > -bh
    > > > >
    > > > > On Wed, 13 Nov 2002, Meritt James wrote:
    > > > >
    > > > > > "an" IP Address - not necessarily the originating individual. There are
    > > > > > a LOT of ways around that.
    > > > > >
    > > > > > Jim
    > > > > >
    > > > > > Leonard.Ong@nokia.com wrote:
    > > > > >
    > > > > > > There is nothing new about finding your IP Address and display it on the web page.
    > > > > >
    > > > > > --
    > > > > > James W. Meritt CISSP, CISA
    > > > > > Booz | Allen | Hamilton
    > > > > > phone: (410) 684-6566
    > > > > >
    > > >
    > > > --
    > > > James W. Meritt CISSP, CISA
    > > > Booz | Allen | Hamilton
    > > > phone: (410) 684-6566
    > > >
    >
    > --
    > James W. Meritt CISSP, CISA
    > Booz | Allen | Hamilton
    > phone: (410) 684-6566
    >



    Relevant Pages

    • Re: netmasks and subnets
      ... >> applies to your firewall forwarding which, ... it for X,Y,Z reasons), then sending through to an internal interface. ... is not really routing as you know it. ... the packets from one internal interface to another. ...
      (comp.os.linux.networking)
    • Re: Blackhole routes vs firewall drop rules
      ... dealing with packets from unwanted sources. ... blackhole routes) or firewall on the same machine that is the ... Routing is almost entirely about the destination ...
      (freebsd-hackers)
    • Re: ipfw rules
      ... > send packets trough external interface rl0. ... > but cannot send any packets out from my lan box. ... I can connect to internet ... They should look like packets originating on the firewall if natd is ...
      (comp.unix.bsd.freebsd.misc)
    • Re: ip forwarding woes
      ... The routing table of one of the hosts was not exactly as described below, and was causing return packets to be lost. ... From the firewall, I can ping both the other hosts. ...
      (comp.os.linux.networking)
    • Editing Windows firewall ruleset for 2003 Std ?
      ... I have an application that sends http request packets to a microsoft ... sent out via the main interface on 172.31.1.2. ... This works perfectly until I turn on the windows firewall. ... sending them out through the external interface. ...
      (comp.security.firewalls)