Re: SmoothWall
From: Ralph Johnson (@)
Date: 03/12/03
- Previous message: Wolfgang Kueter: "Re: PIX Firewall auditing suggestions please!"
- In reply to: Digital_GHost: "SmoothWall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ralph Johnson" <@> Date: Wed, 12 Mar 2003 16:46:18 -0000
"Digital_GHost" <digital_ghost@Informationsuperhighway.com> wrote in message
news:Xns933AAF8C99EE1digitalghost@62.253.162.106...
> Hi,
> Does anyone know whether this is possible using smoothwall?
>
> I have an internal network (192.168.0.0/24) connecting through a
smoothwall
> box to the internet. The internal network is assigned a green card and the
> external a red card. Now the external network IP is (for instance)
> 62.253.198.6.
>
> There is a rule set up to except all on the external NIC and port forward
> to Port 80 to an IP address on the internal network.
>
> 62.253.198.6:80 >> 192.168.0.100:80
>
> And this connects perfectly from the internet.
>
> However should someone from an internal IP try to connect to the website
>
> http:\\62.253.198.6
>
> It fails......
>
> Using my small amount of TCP/IP knowledge I can't understand why this
> request is not being port forwarded by the firewall?? Surely it would know
> its external IP address or even chuck the packet out onto the internet to
> have it sent straight back at it??
>
> I can ping the external IP but not send packets at it and have them
> forwarded?
>
> Am I asking a little too much from my firewall??
>
> Any help would be greatly received..!
>
> DG
>
I assume the webserver is on the same network as the machine you are trying
to connect from? I'm not an expert, but the reason this will not work is
the following.
Your internal machine makes a connection to the firewall on port 80. Your
machine now has a connection to the firewall, and expects packets back from
the firewall. The firewall forwards these packets to your internal
webserver. Your webserver replies in the appropriate way to the ip address
that was the source for the packets (Your client machine). Because your
client machine is on the same network the webserver doesn't need to reply
via the firewall and sends the packets directly back to your client machine.
When the packets from the web server reach your client machine it is not
expecting them from the webserver ip, but from the firewall ip address, so
drops these packets.
The way around this in iptables is to do SNAT i.e. any packets from the
internal network connecting on port 80 need the source IP address changed to
the firewall IP. When the packets are returned to the firewall masquerading
kicks in and sends them back to the original client IP.
Smoothwall uses IPChains, as I say I'm not an expert, and don't know how to
do this in IPChains. The other solution will work just as well, and in the
webserver logs you will see the correct ip address for the client too. I
hope this eases some of the confusion.
- Previous message: Wolfgang Kueter: "Re: PIX Firewall auditing suggestions please!"
- In reply to: Digital_GHost: "SmoothWall"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
