dgillett at deepforest.org
dgillett at deepforest.org
Fri Oct 26 04:09:47 EDT 2001
> Why must there be two IP addreses for a firewall ? For a routeur
> also ?
A router is a computer that -- besides any other functions it might
have -- is configured to accept and forward packets for which it is
not the final destination.
There's nothing to say that a computer with a single interface
cannot do this. However, since in that case every packet *could*
have been sent directly to its next destination without being handled
by the router, this case is considered somewhat wasteful and not
In the more common case, a router will have interfaces on at least
two networks, and its job will be to pass traffic from one network to
the other (and, usually, back the other way as well).
Since those interfaces are on different networks -- and since part
of any routable address identifies the network on which the address
resides! -- they must have different addresses.
A firewall is a gateway (routers that connect multiple networks are
the most common, but not the only, kind of gateway) between two
different trust/security domains. If those domains were on the same
network/subnet, it would be possible for traffic to flow between the
domains without being handled by the firewall. The firewall would
not be acting as a security boundary in that case.
> 1. when I configure a router with network translation, what is
> actually " seen " by the outside world (internet) ? As the RFC
> private non routable addresses of the company are translated, is it
> just ONLY the firewall IP public address which is visible to the
> outside world ? What if internal servers are accessible to the
> outside world and dispose of public IP adresses ? Are these IP
> adresses seen as is ? ie with their own publicly affected IP
> addresses to the outside world when they get through the company
> firewall to communicate with another server on internet or is it
> the address of the firewall which is systematically substituded to
> theses adresses and therefore the only visible address seen by the
> outside world ?
There are three typical scenarios (simplified):
1. PAT (Port Address Translation)
When an internal machine initiates a connection to the outside, the
internal origin address and port number are translated to the
router's external address and some "random" available port number.
The router enters this translation in a table, so when a reply is
received on that port number, it can be forwarded to the inside
address and port number from which the connection originated.
Obviously, this has issues for connectionless protocols, but creating
a temporary mapping with a timeout seems to work reasonably well for
UDP, for instance.
2. Dynamic NAT
Similar, but the router has a pool of external addresses available,
and this makes it easier to (a) preserve the originating port number,
and/or (b) associate related return traffic with the correct client
(e.g., the data channel connection in non-PASV FTP).
3. Static NAT
A given external address is paired with a given internal address.
This is typically used for externally-visible servers (which, by the
way, *ought* to be in a separate trust/security domain from other
internal hosts, called a "DMZ"). To answer your question, such a
server usually knows itself only by its internal IP address[*], and
internal clients may refer to it by that address. OR they may refer
to it by external address, in which case their traffic must visit the
router to translate the origin to an external address -- and
immediately again, to translate the destination to an internal
[*] Some components may need to know the external address, to deal
with things like SSL certificates or protocols that embed address
information in the payload and not just in the headers. I did say
this description was simplified....
> 2. A routeur is itself a sort of firewall for IP filtering right
> ?. But a PC connected to a routeur where a software operates some
> sort of application filtering is also a firewall right ? When I
> read articles on firewall, there aren't mention about what kind of
> firewall is used. Do I sound confuse ?
ONE kind of firewall is pretty much a router with packet filtering.
(a) A router is a traffic-transport device, and tends to default to
"forward all traffic". A firewall is a *security* device, and should
default to "forward NO traffic". Also, modern packet-filter
firewalls do "stateful inspection", checking that inbound traffic is
part of properly initiated sessions; consumer-grade router packet
filters may just check the port number against a static list.
(b) The best generic dfinition of firewall is "a component that
enforces a security policy". This can be done in several different
ways (packet filtering, application proxying), in hardware or in
software, on an endpoint host or on some intermediate gateway.
I agree that it is unfortunate that network filter software for PCs
has been christened by the makers "software firewalls", and even more
unfortunate that many users shorten this to "firewalls".
> 3. An ACL on a cisco router allows trafic based on IP source,
> destination, port, protocole addresses as well as trafic
> direction. What does it mean to say that trafic is allowed to
> circulate only from addresse source A to destination address B ? If
> A sends trafic to B, and B replies to A, trafic is necessarily a
> two way issue isn't it ? If the ACL says : only A--> B, then A will
> never ever get replies from B since only unidirectionnel flow is
> permitted. Do I sound silly with this question ?
An ACL, once defined, is then applied separately to each direction
(in or out) on each interface. So the application of the ACL in your
example says something like "traffic A->B is allowed to come IN on
THIS interface". Traffic B->A should never come IN on THIS interface
-- if it passes this way at all, it should come in on some other
interface, and *may* go OUT on this one. So there should probably be
a corresponding B->A rule, but because it applies somewhere else, it
will have to be in a different ACL to be useful.
On 25 Oct 2001, at 10:51, TAN, Raymond wrote:
> I'm acquainted with firewalls, routers, networking, Network address
> translation, PAT, etc....but really only from an academic point of view from
> readings here and there. I 've no practical experience at all in setting up
> and managing a network be it LAN or WAN. My real problem is therefore "
> seeing " how real equipements are placed. How they are physically connected.
> Why must there be two IP addreses for a firewall ? For a routeur also ?
> etc..etc....Most configurations I see in revues give a schematic
> representation but don't deal with such basic practical questions and it
> doesn't really help me at all.
> Also questions which often crop up like :
> 1. when I configure a router with network translation, what is actually
> " seen " by the outside world (internet) ? As the RFC private non routable
> addresses of the company are translated, is it just ONLY the firewall IP
> public address which is visible to the outside world ? What if internal
> servers are accessible to the outside world and dispose of public IP
> adresses ? Are these IP adresses seen as is ? ie with their own publicly
> affected IP addresses to the outside world when they get through the company
> firewall to communicate with another server on internet or is it the address
> of the firewall which is systematically substituded to theses adresses and
> therefore the only visible address seen by the outside world ?
> 2. A routeur is itself a sort of firewall for IP filtering right ?. But
> a PC connected to a routeur where a software operates some sort of
> application filtering is also a firewall right ? When I read articles on
> firewall, there aren't mention about what kind of firewall is used. Do I
> sound confuse ?
> 3. An ACL on a cisco router allows trafic based on IP source,
> destination, port, protocole addresses as well as trafic direction. What
> does it mean to say that trafic is allowed to circulate only from addresse
> source A to destination address B ? If A sends trafic to B, and B replies to
> A, trafic is necessarily a two way issue isn't it ? If the ACL says : only
> A--> B, then A will never ever get replies from B since only unidirectionnel
> flow is permitted. Do I sound silly with this question ?
> 4. And so many other questions in this vein : Sendmail, DNS, .....which
> is really fascinating and captivating. But I hope that someone can enlighten
> me on the first three questions.
> Sorry about asking these basic questions which probably shouldn't
> figure here. But I'm really at a lost as to where I can find clear practical
> answers to my questions because surfing on the net hasn't really help me
> find the right (non academic) answers. I find a number of sites but maybe I
> didn't open or check up the right ones. I don't know about lists or
> newsgroups where I can subscribe so as to get the " feel " of the whole
> If anyone has got a tutorial, a short practical guide about all
> that's necessary to put up a LAN, WAN, VPN, etc...or knows about a site with
> good clear concrete examples and explanations, please can you give send me
> the url links ?
> I need to know as I'm new on this job and have no way of going
> through a course to help me understand the network issue from a very
> pragmatic point of view.
> Thanks a lot in advance for any help given.
> VPN is sponsored by SecurityFocus.com
VPN is sponsored by SecurityFocus.com
More information about the VPN