Re: [TCLUG:10864] IP Masquerading

To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:10864] IP Masquerading
From: Ben Kochie <ben@nerp.net>
Date: Mon, 6 Dec 1999 11:03:12 -0600 (CST)
In-Reply-To: <019601bf4009$d8b6b880$6b080f90@leads.brady.medtronic.com>

yes, you can with ipchains forward a single port connetion, or an entire
IP through the masq to the 'inside' network... HOWEVER, this is really bad
firewall policy.  the linux firewall at my company only allows outgoing
connections, so that if a service were to have a discovered exploit,
someone would not be able to get access to a box on the 'inside' of my
network.

for our internet services, email, web, etc.  I have a single system
outside the network that contains all the sendmail/apache config.  and all
users get their email via outgoing connections through the
firewall..  that way there is no way to compomise the internal network
without breaking into the fireall. (and since the firewall drops all
connections 0-1024, that's kinda hard :)

Thank You,
        Ben Kochie (ben@nerp.net)

*-----------------------*  [ - * - * - * - * - * - * - * - ]
| Unix/Linux Consulting |  [ Haiku Error Message:          ]
|  PC/Mac Repair        |  [  Chaos reigns within.         ]
|   Networking          |  [  Reflect, repent, and reboot. ]
| http://nerp.net       |  [  Order shall return.          ]
*-----------------------*  [ - * - * - * - * - * - * - * - ]

 "Unix is user friendly, Its just picky about its friends."

On Mon, 6 Dec 1999, Brian J. Ackermann wrote:

> Quick question, just so I make sure I understand this right.
> 
> If I were to set up my firewall box with masquerading, would I be able to
> connect to an 'inside' box.  I'm certain that 'inside' boxes can get 'out'
> and have info sent back to them (browsing WWW, for instance.)  But, could I
> have a machine 'inside' called, 'www.bbros.com' on our masq'd subnet
> (192.168.6.144,. perhaps) and then point my browser from an 'outside' host
> toward 'www' and have the masq resolve this at all?
> 
> I'm sure there must be SOME way to do this, and I need to convince my boss
> to remove the restriction of having co-existing subnets on the same
> hardware, so that I can finish this blasted router...
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> For additional commands, e-mail: tclug-list-help@mn-linux.org
>

Follow-Ups:
- Re: [TCLUG:10864] IP Masquerading
  - From: Scott Dier - dieman <dieman@ringworld.org>

References:
- IP Masquerading
  - From: "Brian J. Ackermann" <brianj@subrad.com>

Prev by Date: IP Masquerading
Next by Date: RE: [TCLUG:10864] IP Masquerading
Prev by thread: IP Masquerading
Next by thread: Re: [TCLUG:10864] IP Masquerading
Index(es):
- Date
- Thread