Re: Seeing outside IP address when inside
- From: "Spack" <news@xxxxxxxxxxxxxxxx>
- Date: Thu, 29 Jun 2006 11:11:05 +0100
Richard wrote on Thu, 29 Jun 2006 09:07:52 +0100:
"Dave {Reply Address In.sig}" <"noone$$"@llondel.org> wrote in message
news:u5qan3-
Why do you need this? If it's to let internal hosts access the same
services that are available from outside without changing hostnames then
The main motivation for doing this is access to my (passive) FTP server:
it opens the data connexion from the server end by saying "call me back
on www.xxx.yyy.zzz:pppp." This message is passed in plain text across the
control connexion and won't get translated by any Natterbox. (Well, it
could,
but I'd rather it left that sort of thing alone).
Ah, right. I never get that problem as I do allow my router to edit the FTP
packets, so my FTP server uses a LAN IP address.
I know there are all sorts of ways of surmounting this problem but it's
just so damn stupid. The whole point of the internet is that you're
supposed to be able to connect from anywhere to any given destination
transparently (assuming
the server wants you to connect).
Having this restriction is crazy and I can see no reason for it.
Most simple NAT routers are designed for getting connected to the internet
to access data on it, not use it to run services.
If there is a good reason for a modem/router (which knows its external IP
address) preventing intra-LAN IP packets being subject to the same
port-forwarding
and address translation as traffic from the outside, then I really would
like to
know what it is.
There may be a damn good reason for it, but I can't for the life of me see
what it
is.
As I mentioned in my post, it's a simple way to prevent one type of spoofing
attack. If a packet enters the router on the WAN interface with a source
from the LAN IP range, it drops it. Doing more than this (checking against
internal state tables, passing it back out on the LAN interface to the NAT'd
IP, and doing the same with the return packets) requires more complexity in
the OS, and more processing. This often equates to a more expensive unit as
it'll have SPI and a bunch of other features (no point just adding an SPI
table and doing very little with it), and so takes it out of the realms of a
consumer grade appliance.
I want to be able to do all this in one box (modem/router/fw). Hence the
request for a model which does the job properly.
I'd look for a box that has zone segmentation (eg. LAN, DMZ, WAN, where the
DMZ is actually on it's own interface) and so won't see packets on the WAN
interface that are sourced from the LAN interface, or set up a Linux box
that will do it all for you. A PIX might also work with the alias command,
but I've only ever used it to map public IPs to private IPs on an alternate
interface (my PIX has 3 interfaces, with publicly accessible servers on
their own "DMZ"), I'm not sure if it'll even work mapping IPs back to the
same interface.
Dan
.
- References:
- Seeing outside IP address when inside
- From: Richard M Willis
- Re: Seeing outside IP address when inside
- From: Dave {Reply Address In.sig}
- Re: Seeing outside IP address when inside
- From: Richard M Willis
- Seeing outside IP address when inside
- Prev by Date: Re: Query on Max Product
- Next by Date: Re: Seeing outside IP address when inside
- Previous by thread: Re: Seeing outside IP address when inside
- Next by thread: Re: Seeing outside IP address when inside
- Index(es):
Relevant Pages
|
