DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th September 2010
majkelos majkelos is offline
Port Guard
 
Join Date: Sep 2010
Posts: 23
Thanked 0 Times in 0 Posts
Default Private connection class problem

Hello

It is possible NAT outgoing connection with address from the internal card ? Cause address on external interface and gateway is from private class and I would like to assign whole public class to the internal interface ..
Or can I force to make connection on router from address on internal interface?

Thanks!
Reply With Quote
  #2   (View Single Post)  
Old 19th September 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,879
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by majkelos View Post
It is possible NAT outgoing connection with address from the internal card ?
No. Even if this was possible, you would be exposing an address which is no longer part of the segment where it is attached. What is you concerns about the external interface being an RFC1918 address?
Reply With Quote
  #3   (View Single Post)  
Old 21st September 2010
majkelos majkelos is offline
Port Guard
 
Join Date: Sep 2010
Posts: 23
Thanked 0 Times in 0 Posts
Default

Quote:
What is you concerns about the external interface being an RFC1918 address?
Yes Ocicat.

Thanks
Reply With Quote
  #4   (View Single Post)  
Old 21st September 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,879
Thanked 190 Times in 160 Posts
Default

If the outside interface is a private RFC1918 address, it simply means that you are working within a larger internal network. As such, you do not have any control over what the legitimate external address may be; it has to work as a proper member of the segment in which it exists. If you change your external interface's IP address:
  • ...to something which is still valid within the parent's segment, then you risk duplicating an address which does or will exist in that same segment. This will cause problems with everyone's ARP table entries in that segment because it is no longer true that all hosts have unique IP addresses.
  • ...to some address which is not in the parent's segment, then traffic might be able to get to its defined destination, but return traffic will be routed (rightfully) elsewhere.
These are two large reasons why you can't change the IP address of your firewall's external interface. You are truly at the mercy of your provider.
Reply With Quote
  #5   (View Single Post)  
Old 22nd September 2010
majkelos majkelos is offline
Port Guard
 
Join Date: Sep 2010
Posts: 23
Thanked 0 Times in 0 Posts
Default

Hi

I know why my ISP gives me private connection class to his BGP router and what does it mean. I am wondering if it is possible to go outside with public address which is assigned to internal interface ?

Thanks
Reply With Quote
  #6   (View Single Post)  
Old 22nd September 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,879
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by majkelos View Post
I am wondering if it is possible to go outside with public address which is assigned to internal interface ?
This all depends upon the routing put in place by your ISP. You will have to ask this question to them.
Reply With Quote
  #7   (View Single Post)  
Old 22nd September 2010
majkelos majkelos is offline
Port Guard
 
Join Date: Sep 2010
Posts: 23
Thanked 0 Times in 0 Posts
Default

Hello

Ocicat, thse IP's from internal interface are public address and are routable. User on LAN can use this address to work on internet. But can I use address of internal interface to go outiside when i want to make connection from router ? Lets say i am use ssh on router, and i if i have on external interface private connection address i cannot go outside. It is possible to make NAT or something to change the private connection address to one on internal interface from public class which is routable and has connection with outside (internet) ?

Thanks
Reply With Quote
  #8   (View Single Post)  
Old 22nd September 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,879
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by majkelos View Post
User on LAN can use this address to work on internet.
From your description thus far, it is unclear whether there is another route your public addressed hosts can take to reach the Internet, or whether all hosts in this segment of public addresses have to traverse this NAT'ed interface mentioned at the beginning of this thread. I suspect that this private addressed parent segment is later NAT'ed to the public Internet & that you do not need to worry about the fact that your firewall's external address is a RFC1918 private address. But this is simply conjecture on my part.

It is also unclear whether these public addressed hosts are sanctioned public addresses or whether someone arbitrarily decided to use these addresses deep down within a private network. The question here is whether these addresses will collide with other hosts using the same addresses in the wild.

In any event, it sounds like this is a complex corporate network where portions are connected to other portions (possibly through acquistions) through BGP. Neither am I familiar with your network structure nor all of the idiosyncrasies of BGP to fully answer your questions. What is clear is that this is not a simple topology, & that working with the thought of "all public addresses should be publicly accessible" may be an oversimplification.

In order for you to understand the interconnections, it appears there are two choices:
  • Play with traceroute(8) to see how packets are traversing your network structure to outside hosts. If you have the facilities, you might try using traceroute(8) outside to see if you can get into your internal hosts. I suspect the latter will be blocked by one or more firewalls, but this too is conjecture on my part.
  • Talk to your ISP.
Good luck with your quest.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
HostV's virtual private servers go very private J65nko News 0 10th February 2010 05:17 AM
Freebsd router PPP/PPPoE connection problem mrthomas FreeBSD General 4 1st January 2010 10:36 PM
MySQL / Dovecot connection problem DrKrall FreeBSD Ports and Packages 2 12th July 2009 06:40 PM
Samba 3.0 problem to setting up private folder - FreeBSD 71-pre bsduser FreeBSD General 7 27th September 2008 03:34 PM
Going to my First Solaris Class roundkat Solaris 9 6th May 2008 02:23 AM


All times are GMT. The time now is 10:14 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick