Tugger the SLUGger!SLUG Mailing List Archives

[chat] Please pick this apart

I have just written this up for an newbie answer on Masquerading. Do I get full marks or did I stuff it up somewhere.... I put this in the Public domain (just in case it is the best thing since sliced bread).

When you communicate with another machine you have four parts to the address, two IPs and two port numbers. The IP for Telnet MUST be known (how else would you establish your session) so to establish to charlie we get IP and port 21. From firewall box I use (dummy external IP) and a port number say 1044 that is assigned by my computer when I establish the socket. Charlie Telnet knows which port I came from because I am starting the session so it knows how to get back to me. So charlie sends messages to IP port 1044 and I see the response as defined by the telnet application (it prints it to the screen). Stage II masquerade. internal port 1033 tries to connect to port 21. It is outside my network so it uses my default gateway The default gateway has complex logic on it that then changes the IP address to its external address and it dynamically creates a port for it say 5021. It creates a table entry saying anything in on port 5021 goes to port 1033. So when traffic comes back on port 5021 it simply looks at the port substitutes the original ip and port 1033. As far as my workstation is concerned it is getting it directly from charlie because that is what it sees, as far as Charlie is concerned it is getting it directly from my firewall because that is what it sees. This is all smoke and mirrors normally. You take a software solution plop it in and it does this and you just set up the routing rules and say NAT (name and address translation) or Masquerade in the options. Is this a firewall, yes because traffic allowed in to my workstation only gets there if I set up an outwards connection first. In order to attack my workstation I have to talk to you first. In order to be a proper firewall there are a few other things to consider as well, no point having a vanilla windows 95 firewall with redirection software, it is too easy to crack. You must run zone alarm or better yet run Linux :-)
Firewalls are an advanced subject,  I can only give you a beginners guide.