Re: [Fwbuilder-discussion] DNAT bringing up an interface and stealing all other connections
Brought to you by:
mikehorn
From: Chris M. <ch...@ma...> - 2007-12-08 05:23:42
|
Chris First let be apologise. I was being interrupted when I read your original email re-reading it I had mis-interpreted what you where trying to convey I use Fwbuilder in the same configuration I believe you are trying to use it, and I don't experience the issue that you have. First, I don't have FWB adding interfaces. In "Firewall Settings" -> "Script Options". I have: Add virtual Address for NAT = off Verify Interface before loading = off Configure Interfaces = off I would urge you to first double check the config you have. I really think that your problem comes from the " Add virtual Address for NAT" setting Cheers --------------------------------------------------------------------------- Chris Martin m: 0419 812 371 e: ch...@ma... --------------------------------------------------------------------------- > -----Original Message----- > From: Chris Pitchford [mailto:cpi...@in...] > Sent: Saturday, 8 December 2007 12:21 PM > To: Chris Martin > Cc: 'Chris Pitchford'; fwb...@li... > Subject: RE: [Fwbuilder-discussion] DNAT bringing up an interface and > stealing all other connections > > > > The problem you are encountering is that packets from the client(.30) to > > either the oldServer(.10) or the newServer(.20) would not usually pass > > through the firewall. They are all on the same network segment, and as > such > > the firewall plays no part in filtering the traffic > > > > The client (.30) will recognise that oldServer(.10) and newServer(.20) > are > > on the same subnet, and will NOT pass traffic through the router. > Instead > > client(.30) will issue an ARP to find the MAC address of the > newServer(.20) > > or oldServer(.10), and then communicate directly with it. > > > > Client(.30) will ONLY forward packets to the router that are NOT on the > same > > subnet. > > > > As a result placing NAT rules on your router/firewall is useless as the > > firewall is not in the path of the packets > > You are right.. but why would ANYONE try and NAT in this situation.. > surely it makes more sense to NAT when the firewall is the gateway.. see > below > > > > > In order to do what you want, there MUST be some way to the packets > passed > > to the router first. Hence the Old IP address on the router interface, > or > > proxy ARP > > > > If your client is a Linux server/workstation, you could use IP tables on > the > > client to do NAT on the client > > Yeah, that'd be nice.. Welcome to solaris and bespoke network appliances! > Either way, that does not excuse the problem in fwbuilder > > > > > You mention that this is the same as packets coming from the internet. > > Unfortunately this is not correct; your scenario is NOT the same. > > All packets from the internet will be passed through the router. It's > the > > only path available to them. But in your case the client is > communicating > > directly with the servers and not through the firewall because they are > all > > on the same subnet. > > > > Not, it isnt! That's my point > > > Client > | > --^-----,----- > | > FW > | > --------^-------,-------,------- > | | > OLD NEW > > If I want: > > Any -> OLD HTTP Orig -> NEW Orig > > as a NAT rule, fwbuilder will assign OLD's address on the FW. This means > now OLD cannot be directly reached at ALL, what's more it cannot route > through the firewall at all either! Client can connect to NEW via the NAT > rule, OLD essentially becomes a NAT only address.. > > As you can see the traffic from client to OLD goes THROUGH FW. > > What's more the NAT rule will NEVER work if Client is on the same network > as OLD and NEW for the reasons you pointed out.. So, the question is why > add the address alias since it wont help it to work!!??? > > Infact, adding the alias means that if client sits on the same network as > OLD and NEW there's a 50% chance that when trying to connect to OLD, the > firewall will reply to the ARP requests first and client will end up > connecting directly to the firewall! If the firewall then NATs that > connection, it will be redirected to NEW who will reply directly and it > will all fail! > > If OLD replies to the ARP first, Client will talk to OLD directly and the > firewall is out of the connection all together. the NAT still does not > work. > > I sent a much longer email with all this, please have a look (if you can > stand the length!) and let me know what you think. As far as I can tell if > the original and translated destinations of a DNAT rule are local to the > same interface, adding an address alias is not only pointless (since it is > not required for external clients) but actually harmful as it makes it > difficult for machines on the local network (where both OLD and NEW sit) > to talk to OLD because OLD and the firewall fight to reply to ARP > requests! > > Cheers > > Chris |