DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 19th September 2010
majkelos majkelos is offline
Port Guard
 
Join Date: Sep 2010
Posts: 23
Default Private connection class problem

Hello

It is possible NAT outgoing connection with address from the internal card ? Cause address on external interface and gateway is from private class and I would like to assign whole public class to the internal interface ..
Or can I force to make connection on router from address on internal interface?

Thanks!
Reply With Quote
  #2   (View Single Post)  
Old 19th September 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by majkelos View Post
It is possible NAT outgoing connection with address from the internal card ?
No. Even if this was possible, you would be exposing an address which is no longer part of the segment where it is attached. What is you concerns about the external interface being an RFC1918 address?
Reply With Quote
  #3   (View Single Post)  
Old 21st September 2010
majkelos majkelos is offline
Port Guard
 
Join Date: Sep 2010
Posts: 23
Default

Quote:
What is you concerns about the external interface being an RFC1918 address?
Yes Ocicat.

Thanks
Reply With Quote
  #4   (View Single Post)  
Old 21st September 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

If the outside interface is a private RFC1918 address, it simply means that you are working within a larger internal network. As such, you do not have any control over what the legitimate external address may be; it has to work as a proper member of the segment in which it exists. If you change your external interface's IP address:
  • ...to something which is still valid within the parent's segment, then you risk duplicating an address which does or will exist in that same segment. This will cause problems with everyone's ARP table entries in that segment because it is no longer true that all hosts have unique IP addresses.
  • ...to some address which is not in the parent's segment, then traffic might be able to get to its defined destination, but return traffic will be routed (rightfully) elsewhere.
These are two large reasons why you can't change the IP address of your firewall's external interface. You are truly at the mercy of your provider.
Reply With Quote
  #5   (View Single Post)  
Old 22nd September 2010
majkelos majkelos is offline
Port Guard
 
Join Date: Sep 2010
Posts: 23
Default

Hi

I know why my ISP gives me private connection class to his BGP router and what does it mean. I am wondering if it is possible to go outside with public address which is assigned to internal interface ?

Thanks
Reply With Quote
  #6   (View Single Post)  
Old 22nd September 2010
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by majkelos View Post
I am wondering if it is possible to go outside with public address which is assigned to internal interface ?
This all depends upon the routing put in place by your ISP. You will have to ask this question to them.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
HostV's virtual private servers go very private J65nko News 0 10th February 2010 05:17 AM
Freebsd router PPP/PPPoE connection problem mrthomas FreeBSD General 4 1st January 2010 10:36 PM
MySQL / Dovecot connection problem DrKrall FreeBSD Ports and Packages 2 12th July 2009 06:40 PM
Samba 3.0 problem to setting up private folder - FreeBSD 71-pre bsduser FreeBSD General 7 27th September 2008 03:34 PM
Going to my First Solaris Class roundkat Solaris 9 6th May 2008 02:23 AM


All times are GMT. The time now is 09:04 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick