Forwarding through Firewall not working?

Victor Churchill jvictor@pobox.co.uk
Thu Nov 21 09:16:00 2002 

Thanks, Erik, for your insightful analysis.

On Wed, Nov 20, 2002 at 03:00:23PM -0500, Eric Zuck wrote:
> I think your basic setup for testing is flawed.
> 
> You are trying to test going through a firewall by going from a local
> network, out to the internet, back in through the WAN side of your firewall,
> and on to your second box (on the same LAN).
> 
> If this is not what you're trying to do, ignore most of what follows, as I
> clearly misunderstood what you're trying :-)

You got it. A local site setup to test before going out into The Field.

> ====> packet is forwarded. Note that source address would be 'ss00' 
> dest address has likely been changed by firewall to 'qgw'
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

/That/ looks like the key point. I give a package to the office
mail-person addressed to Jim who sits next to me. Mail-person does not
take it to the Post Office, they give it direct to Jim. Except, Jim was
expecting a package with an external post-mark not a 'by-hand' sticker.

> ====> 'ss0' sees that 'qgw' is on local LAN, so will send directly back to
> 'qgw'. So it does an ARP request

Dam computers trying to be helpful again.

> ,.. since the traffic is
> destined for an internal address it appears to your firewall that the
> connection is one initiated from an external address===> in this case it
> will not translate the source address. 

Freesco includes a small web server and their docs do as I recall say that 
that server should not be accessed from the inside by its external IP. Same
scenario.

> Clear as mud.

Well actually it does make a kind of sense. And it was a slightly out of
the ordinary situation. (Makes me smile to think how far those signals travelled, 
in order to land on a box physically three inches away! B-) )

> To test your setup, you're going to have to move the second system off the
> local LAN.

Yup. On the phone already.

> Regards,
> -EricZ

Thanks!
Victor

-- 

Victor Churchill , Bournemouth, UK
01202 779643  07970 844083