[vpn] help!!!

Reckhard, Tobias Reckhard at secunet.de
Fri Oct 26 03:24:18 EDT 2001


> 	I'm acquainted with firewalls, routers, networking, Network address
> translation, PAT, etc....but really only from an academic point of view
> from
> readings here and there. I 've no practical experience at all in setting
> up
> and managing a network be it LAN or WAN.
Get a couple of Linux (or *BSD) boxes, the O'Reilly book on TCP/IP
administration, check up on the HOWTOs and you'll get into it.

> My real problem is therefore "
> seeing " how real equipements are placed. How they are physically
> connected.
Most equipment is connected by copper wire, some with fibre. Wireless
transmission in LANs is catching on, but still has quite a way to go and
poses many security risks. Backbones and WAN links use a multitude of
technologies. Get Tanenbaum's book on Computer Networks if you're interested
in an introduction to the whole scoop.

> Why must there be two IP addreses for a firewall ? For a routeur also ?
Sandy already answered this question.

> etc..etc....Most configurations I see in revues give a schematic
> representation but don't deal with such basic practical questions and it
> doesn't really help me at all. 
Well, they assume the reader is beyond the basics.

> 	Also questions which often crop up like : 
> 1.	when I configure a router with network translation, what is actually
> " seen " by the outside world (internet) ?
The outside world 'sees' the official addresses.

> As the RFC private non routable
> addresses of the company are translated, is it just ONLY the firewall IP
> public address which is visible to the outside world ?
This depends on the NAT/PAT setup, really. If you've got only one public
(official) IP address, then the NAT device, which is typically, but not
necessarily a firewall, translates all private addresses to that one public
address on outbound packets and back from that one public address to the
correct private address for inbound return packets. That's what Cisco calls
PAT, Linux calls IP Masquerading and many people term NAT, though the latter
is often cause for misconceptions. PAT is a n:1 NAT setup, meaning that n
addresses are mapped to 1. The way to keep things separated lies in the
modification of the source ports of the packets coming from the n addresses
and mapping ports to addresses.

There are m:m NAT setups, in which there is a public address for every
private address that needs access to the Internet of from it. This doesn't
require any port manipulation. Note that there could well be more than m
machines on the private side of the NAT, but only m can access the Internet
and be accessed from it.

> What if internal
> servers are accessible to the outside world and dispose of public IP
> adresses ?
If you're doing m:m NAT, the NAT device translates the public IP address to
a private one and sends the packet to the internal server. It also modifies
the source address on outbound packets from that server.

With n:1 NAT, you typically need to use 'port forwarding', which means that
the NAT device will base its decision on which internal server to send an
inbound packet to on the destination port in that packet. E.g. your NAT
device could be set up to forward all packets bound to TCP port 25 on it to
your internal mail server. It needs to translate the addresses in inbound
and outbound packets here as well.

> Are these IP adresses seen as is ?
The public addresses are seen, yes.

> ie with their own publicly
> affected IP addresses to the outside world when they get through the
> company
> firewall to communicate with another server on internet or is it the
> address
> of the firewall which is systematically substituded to theses adresses and
> therefore the only visible address seen by the outside world ? 
See the explanations above.

> 2.	A routeur is itself a sort of firewall for IP filtering right ?.
A router is an IP level gateway. It can perform firewalling, theoretically,
and many routers do. However, your sentence should be the other way around:

A firewall is a gateway, more precisely it's a gateway that filters traffic
passing through it. As Sandy already noted.

> But
> a PC connected to a routeur where a software operates some sort of
> application filtering is also a firewall right ?
Yes, if traffic passes through it.

> When I read articles on
> firewall, there aren't mention about what kind of firewall is used. Do I
> sound confuse ? 
Yes, and you're not alone. In fact, the term 'firewall' can mean practically
anything nowadays. You have to check the details in the articles and read
between the lines to find out what the firewalls they talk about can
actually do.

> 3.	An ACL on a cisco router allows trafic based on IP source,
> destination, port, protocole addresses as well as trafic direction.
Actually, this depends on the type of access list. What you say is true for
extended ACLs.

> What
> does it mean to say that trafic is allowed to circulate only from addresse
> source A to destination address B ? If A sends trafic to B, and B replies
> to
> A, trafic is necessarily a two way issue isn't it ? If the ACL says : only
> A--> B, then A will never ever get replies from B since only
> unidirectionnel
> flow is permitted. Do I sound silly with this question ?
No, you are absolutely right. And for e.g. TCP, the return traffic is
inherently important. This is implied by most people when they state things
like the above. Also, in stateful filters, you often only specify the
direction in which traffic is initiated and the state engine takes care of
the return traffic.

> 4.	And so many other questions in this vein : Sendmail, DNS, .....which
> is really fascinating and captivating. But I hope that someone can
> enlighten
> me on the first three questions.
Check for info on the Web and get the O'Reilly books on the individual
topics. At least concerning Sendmail and BIND, they're very good
referernces, if not the standard literature.


VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list