Tugger the SLUGger!SLUG Mailing List Archives

Re: [chat] Please pick this apart


Subject: [chat] Please pick this apart

ok I'll hve a bash at some small points - overall pretty encompassing I
think...


> I have just written this up for an newbie answer on Masquerading.   Do I
> get full marks or did I stuff it up somewhere....  I put this in the
> Public domain (just in case it is the best thing since sliced bread).
>
> When you communicate with another machine you have four parts to the
> address,  two IPs and two port numbers.  The IP for Telnet MUST be known
> (how else would you establish your session) so to establish to charlie
> we get IP 138.25.9.2 and port 21.  From firewall box I use 203.1.1.1
> (dummy external IP) and a port number say 1044 that is assigned by my
> computer when I establish the socket.  Charlie Telnet knows which port I
> came from because I am starting the session so it knows how to get back
> to me.  So charlie sends messages to IP 203.1.1.1 port 1044 and I see
> the response as defined by the telnet application (it prints it to the
> screen).
>

I don't know if it helps but I think that a socket is merely an IP addr and
a port. Sockets are a useful concept then to explain masqing... To explain a
port you can say its just a logical way to further divide an IP address into
useful sections so different services don't trip over one another.


> Stage II  masquerade.  internal 192.168.1.2  port 1033 tries to connect
> to 138.25.9.2 port 21.  It is outside my network so it uses my default
> gateway  192.168.1.1.  The default gateway has complex logic on it that
> then changes the IP address to its external address 203.1.1.1  and it
> dynamically creates a port for it say 5021.  It creates a table entry
> saying anything in on port 5021 goes to 192.168.1.2 port 1033.  So when
> traffic comes back on port 5021 it simply looks at the port substitutes
> the original ip 192.168.1.2 and port 1033.   As far as my workstation is
> concerned it is getting it directly from charlie because that is what it
> sees, as far as Charlie is concerned it is getting it directly from my
> firewall 203.1.1.1 because that is what it sees.
>

I think the term default gateway is primarily a routing term - which may
either need explanation or exclusion. Note that Linux masqing uses source
ports above 60000 i think. Once the person understands sockets (which is
just an IP addr and a port) then you can throw the term socket around
instead of the IP addr and the port :)

> This is all smoke and mirrors normally.  You take a software solution
> plop it in and it does this and you just set up the routing rules and
> say NAT (name and address translation) or Masquerade in the options.

I don't know what is smoke and mirrors (perhaps I don't understand the term)
Note that this needs to happen on a router. Routers connect networks, and
therefore must have at least 2 interfaces (one to each network), perhaps
more. Also its Network Address Translation - and you are describing probably
the most common form of it. There are many other translations you can do
(back and forth along the router to various mixtures of internal networks).

> Is this a firewall,  yes because traffic allowed in to my workstation
> only gets there if I set up an outwards connection first.  In order to
> attack my workstation I have to talk to you first.  In order to be a
> proper firewall there are a few other things to consider as well,  no
> point having a vanilla windows 95 firewall with redirection software,
> it is too easy to crack.  You must run zone alarm or better yet run
> Linux :-)

Unless you specifically filter other types of traffic and filter spoofed
traffic as well, then the Linux masq is probably no better by design than
the windows 98 masq. The main difference in my experience is that the
windows one doesnt work very well (I refer to native ICS). To provide the
full functionality of Zone alarm on linux (GUI aside) you will need
something like snort and a very strong firewall ruleset. Not that I think
that that is necessary - most of the time a properly secured host at the
application level (up to date patches etc) will be resistant to attacks and
not need a firewall. Note that application level security is the problem
that Code red etc take advantage of.

> Firewalls are an advanced subject,  I can only give you a beginners guide.
>

you could also begin with the OSI model of networking

http://www.rad.com/networks/1994/osi/layers.htm

or a google search will give you more authorative links. IP is on the
network layer and TCP/UDP is on the transport layer. Note that masqing as
you outline here is designed for most TCP/UDP transactions and you have to
take extra steps to get other transport layer protocols to work (VPN stuff
comes to mind).

Hope that helps, you did well though.


Dave