Re: [Fwknop-discuss] Help for NAT support details.
Brought to you by:
mbr
From: Michael R. <mb...@ci...> - 2008-03-01 03:14:20
|
If the fwknop client and the fwknopd server are on the same "internal" network, then there is no need to resolve the external IP with -R since this IP will be on a different network. In this case, all you need is the source IP of the client (say, 192.168.10.1) and of the server (say, 192.168.10.2), and then use "-a 192.168.10.1" on the client command line. You could also use "-s" so that the server will honor whatever IP address the SPA packet originates from, but this is not generally recommended because such communications are subject to potential MITM attacks. There is more information on this is contained in Sebastien Jeanquier's MSc thesis: http://www.securethoughts.net/spa/An%20Analysis%20of%20Port%20Knocking%20and%20Single%20Packet%20Authorization%20%28Sebastien%20Jeanquier%29.pdf -- Michael Rash http://www.cipherdyne.org/ Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F On Feb 29, 2008, Abhishek Rahirikar wrote: |