Forwarding through Firewall not working?
Thu Nov 21 09:16:00 2002
Thanks, Erik, for your insightful analysis.
On Wed, Nov 20, 2002 at 03:00:23PM -0500, Eric Zuck wrote:
> I think your basic setup for testing is flawed.
> You are trying to test going through a firewall by going from a local
> network, out to the internet, back in through the WAN side of your firewall,
> and on to your second box (on the same LAN).
> If this is not what you're trying to do, ignore most of what follows, as I
> clearly misunderstood what you're trying :-)
You got it. A local site setup to test before going out into The Field.
> ====> packet is forwarded. Note that source address would be 'ss00'
> dest address has likely been changed by firewall to 'qgw'
/That/ looks like the key point. I give a package to the office
mail-person addressed to Jim who sits next to me. Mail-person does not
take it to the Post Office, they give it direct to Jim. Except, Jim was
expecting a package with an external post-mark not a 'by-hand' sticker.
> ====> 'ss0' sees that 'qgw' is on local LAN, so will send directly back to
> 'qgw'. So it does an ARP request
Dam computers trying to be helpful again.
> ,.. since the traffic is
> destined for an internal address it appears to your firewall that the
> connection is one initiated from an external address===> in this case it
> will not translate the source address.
Freesco includes a small web server and their docs do as I recall say that
that server should not be accessed from the inside by its external IP. Same
> Clear as mud.
Well actually it does make a kind of sense. And it was a slightly out of
the ordinary situation. (Makes me smile to think how far those signals travelled,
in order to land on a box physically three inches away! B-) )
> To test your setup, you're going to have to move the second system off the
> local LAN.
Yup. On the phone already.
Victor Churchill , Bournemouth, UK
01202 779643 07970 844083