Re: how to connect firewall to router
From: MyndPhlyp (nobody_at_home.now)
Date: 01/28/04
- Next message: Colonel Blip: "Router dead. Advice for replacement."
- Previous message: JD: "Re: NIS 2004 A remote system is attempting to access your computer"
- In reply to: hamals_at_infinito.it: "Re: how to connect firewall to router"
- Next in thread: FT: "Re: how to connect firewall to router"
- Reply: FT: "Re: how to connect firewall to router"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 28 Jan 2004 21:29:05 GMT
<hamals@infinito.it> wrote in message
news:A8QRb.284657$vO5.11560559@twister1.libero.it...
> Thanks for reply
>
> your explaination is very good....but if my adsl router has only one port
on
> lan side and this port is the firewall port, how can the firewall catch
the
> traffic for other IPs and direct it to the right pc?
Thomas Hertel eludes to this. Maybe I can simplify with some Networking 101.
As packets travel a network, optimizations take place to route packets to
their intended destination based on the IP packet's network. (Yeah, I know
... lots of double-talk that could just as well be found in a politican's
campaign speach.)
I mentioned your netmask, network address, broadcast address and IP
addresses of at least 2 machines in your network. Your network also recorded
in ROUTE tables and DNS tables at your ISP. Your ISP's network is recorded
in yet another ISP's (or InterNIC - the lowest level authorative "voice").
The whole thing acts like one big phone book. Each network knows what the
various components are in their little corner of the world and shares this
information with the rest of the world.
As a packet travels through various relay points, a wrapper is placed around
the packet with information identifying the relay point as the "reply to"
machine. Your packet could be going through 10's or (heaven forbid) 100's of
relay points with each one adding more information to the packet. It becomes
a map of how the destination should respond.
When the packet gets to the destination, the destination unwraps all the
layers, locates the original message, responds appropriately and rewraps the
package sending it back to only that last relay point.
The return process is the inverse of the sending process - as each relay
point receives the return message, it takes off it's wrapper and passes it
to the next originator back through the chain.
So (finally) we get back to your ADSL modem - just another relay point for
the Linux machine. If it were a private IP address, the ADSL modem is
actually the originator and it would look up in the NAT tables it maintains
to determine the ultimate final destination. Since your Linux machine has a
public address, the ADSL modem is not the originator but rather just another
relay point - the ADSL modem takes off its wrapper and forwards the packet.
The reason it must follow its original path on the return is because that
wrapper information contains MAC addresses - it's part of that optimization
I mentioned long ago.
In short (why the hell didn't he just say this and be done with it!), the
ADSL modem doesn't really know your Linux machine exists. Any WAN or LAN
traffic destined for IP addresses 152.3.0.x within the netmask
255.255.255.240 must be either the ADSL modem or some other device on the
LAN side of the ADSL modem. Being a single port ADSL modem, it is just
firing the packet through your LAN network. All the devices on your LAN
"receive" that packet, but only the originator process the packet's
information - the rest discard the information. (Not the complete truth, but
it serves to illustrate the situation. Anybody can listen in on a
conversation if they can "hear" the packet.)
The inbound packet could just as easily be for 152.3.0.11 or 152.3.0.9 and
the ADSL modem would fire it off to the LAN. Packets sent to 152.3.0.21
would be dropped (unless certain optimizations were disabled) or ignored.
- Next message: Colonel Blip: "Router dead. Advice for replacement."
- Previous message: JD: "Re: NIS 2004 A remote system is attempting to access your computer"
- In reply to: hamals_at_infinito.it: "Re: how to connect firewall to router"
- Next in thread: FT: "Re: how to connect firewall to router"
- Reply: FT: "Re: how to connect firewall to router"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
