RE: FW: Help
Thanks so much to everyone who has replied to my request. I really do
appreciate it. There have been some excellent comments and yes even a
little humor. I am taking Michael Wood's suggestion and making a diagram of
the network setup with a little more of a detailed explanation.
New T1 207.202.255.134
Internet <-------------------> +----------+
^ | Firewall | 172.30.10.5
| +-------------> +----------+ <-----+
| | 192.168.56.12 |
| | | 172.30.10.0
| | 192.168.56.10 +------->
+-------------+
| +-------------> +------------+ /
\
| | Web Server | + Private
Network +
| +-------------> +------------+ \
/
| | +------->
+-------------+
| | |
| | 192.168.56.11 |
| +-------------> +--------------+ <-+
| | Old Firewall | 172.30.10.4
+------------------------> +--------------+
Old T1 209.136.255.129
Basically we are changing T1 providers an consequently we are getting new
public IP numbers. I would like to have both systems up for at least a week
or two for testing, so I can make sure the new system is working properly
before we start depending on it and so we will not loose anybody when we
change our domain registration over to our new DNS servers. I can route
internal traffic to the internet through the new firewall and it appears to
be working fine. The problem I am having is that when I try to get to my
web server through the new T1 interface (207.202.255.134 <sorry, a
fictitious number>) it does not seem to be forwarding on to the web server.
In any case I am not getting a response.
I thought it might be a routing problem. The Web Server might be trying to
send the reply through to Old Firewall which in all likelihood would not let
it pass through. I thought if I had the New Firewall masquerade the traffic
the Web Server would see the requests as originating from its own segment an
not send that traffic to the Old Firewall. Now, Manfred Wassmann reference
the system document /usr/doc/netbase/ipmasqadm/README.portfw.gz and
basically said among other things (thanks Manfred, your points were well
taken) "The reply to a forwarded packet will be sent back to the forwarding
host not to the original source address." Which is what I read into that
document (now that Manfred told me where it is). However, I think the Web
Server will send the packets back to the Firewall's Internet interface
(207.202.255.134) not the interface on the same segment as the Web Server
(192.168.56.12)consequently they will go to the Old Firewall and probably
die. Evan Day made an excellent suggested that I use tcpdump to analyze the
traffic to see where it is actually going. It may take me a few days to do
that but I will let everyone know the results.
I have received a lot of reservations from people on masquerading incoming
internet traffic to the server. The main concern is that you could be
masquerading a hackers IP number who is trying to pry into your system
making it more difficult to detect and eradicate the attack. A pretty could
point if you ask me. I may have to rethink my whole approach. If in the
mean time any of this spurs more ideas or suggestions with anybody I would
love to here them.
Thanks,
Brian
Reply to: