-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > NO! I cant do it base to fundamental rules of TCP/IP protocol. I will > explain it. Let have external box 'A', firewall 'B', and sendmail box 'C'. > Now if A send IP packet to B is have src=A dst=B, now B receive this packet > and change it to src=B dst=C. IF (as you want to) B would not change this > and leave it as src=A dst=C, then packet will arrive to C, but never will > be send back to A, because sequnce number of TCPIP protocol is different in > B and C, and simply A will reject packets form C, due to > Man-In-Middle-Attack rules. So in this configuration must be like is. > Secont, will not be received because of C is private IP, and for third, B > will not pass throuw packets from C to A. Read the SNAT and DNAT rules of > IPTABLES again. :) Hmmm... I believe Gauntlet can do this. Where I work, I don't have any control over the main firewall, but I look after the web servers. We requested that connections to the web server's shouldn't have the src address re-written to the firewall's. This was for information gathering reasons. No problem - it's been running okay for a while now. Actually, the more I think about it, at home this is exactly how things work on my network. I have port 80 on my firewall forwarded to my web server. The web server sees the client address and not the address of the firewall. This is using iptables. The rule is: iptables -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to xxx.xxx.xxx.xxx:80 netstat on the web server reports the client address and not the firewall's address. You may want to check things to see if and why you get different results. As far as I can tell, this is because the firewall box forwards the packets on transperantly so any sequence numbers are maintained. > There is another way. It is highly tricky. Make on firewall rules that > alter TCPIP flag of that packet which is allowed to go to sendmail. Now > sendmail box will have iptables rule located in PREROUTE and simpy DROP all > packets without flag altered. That sounds very bad! I'm not sure you'd actually be able to get that working. If you do, I'd like to see what you've done. - -- Paul Bryan pa_bryan@yahoo.co.uk PGP Key http://www.keyserver.net:11371/pks/lookup?op=get&search=0xB1D405DA Ah, this is obviously some strange usage of the word safe that I wasn't previously aware of. Arthur Dent, "Hitch Hikers Guide to the Galaxy" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+O7J43qGyTLHUBdoRAtKzAJ4mXUgb6D2jvoCVmH8UyqJugPgt1gCgv2sP JS7cHG5komJMCQqS/Sx/490= =mSGr -----END PGP SIGNATURE----- ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
