[opensuse] Re: [Fwbuilder-discussion] Dual-homed NAT question

---

• From: James Knott <james.knott@xxxxxxxxxx>
• Date: Fri, 18 May 2012 10:49:37 -0400

---

Whit Blauvelt wrote:

I'm not an expert here but so far as I'm aware there's nothing in the IP
> packet which has information about which interface it arrived on. Without
> that information it can not be routed predictably for the return journey.

Think you're right. When it's being handled on just the firewall system, I
believe it's the kernel's rp_filter that's enabling it to work. But that's
lost when it goes on by DNAT. Thus the desire to use a port. There's_got_
to be a way to implement the logic "if it comes from 192.168.1.xyz on port
24, route it out through interface X on port 22" - except iptable's
limitation on outward port translation blocks the easy and obvious way.

If I put a daemon on the firewall box, with my current setup it just works.
Putting it on a separate system behind it though, I haven't found an
appropriate way yet to have the firewall recognize which outgoing interface
to use, to have it match the incoming.

As has been mentioned before, there is no way for the firewall/NAT to determine which port is to be used. The packets behind the firewall will have a destination address and the routing tables will determine which interface will be used. Unless there is a specific route for a given address, the default route will always be used. You're looking for something that's not possible. Perhaps you could run a proxy on the firewall instead.
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

---

• Follow-Ups:
  • Re: [opensuse] Re: [Fwbuilder-discussion] Dual-homed NAT question
    • From: Per Jessen

• Prev by Date: Re: [opensuse] libreoffice calc import CSV
• Next by Date: Re: [opensuse] libreoffice calc import CSV
• Previous by thread: [opensuse] libreoffice calc import CSV
• Next by thread: Re: [opensuse] Re: [Fwbuilder-discussion] Dual-homed NAT question
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: port scan to juniper fw ... If the packet with SRC-IP a.b.c.d ... enters firewall via interface 'X' and the route on the firewall for ... the below default behavior of Juniper SSG for a port scan. ... Information Assurance Certification Review ... (Pen-Test) Netscreen 5GT VIPs and Bridge Mode ... I currently have a Netscreen 5GT-AV Firewall connected to a Netcomm ... The modem is in non-bridged mode and its LAN ... The Netscreens Untrust Interface (connected ... I have port forwarding set ... (comp.security.firewalls) RE: Strange replies on closed port ... port should be a RST - not dropping the packet. ... receiving an UDP datagram to a non 'listening' port. ... that message isn't generated by the end host, ... Connecting to a closed Port w/o Firewall: ... (Pen-Test) Re: Firewall questions -- what is ...? ... packet payload inspection. ... IDS is not a firewall and does not necessarily protect you. ... port number for a well known service and the destination port is above 1023, ... Firewalls and IDS are prone to frequent false alarms. ... (microsoft.public.security) Re: Basic NAT / Firewall Question ... There are two basic types of NAT (Network Address Translation) which you ... NAPT simply maps port numbers to a given address. ... Your firewall will make a note from where the connection was ... with its own address and then sends this "new" packet out on its local ... (Security-Basics)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

linux.derkeiler.com  > Mailing-Lists  > SuSE  > 2012-05