Re: Redirection to local lan, isn't DNAT method unsafe.
|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
On April 1, 2004 04:55 am, Antony Stone wrote: > On Thursday 01 April 2004 10:42 am, Bo Jacobsen wrote: > > > Well, DNAT is normally used to map externally-accessible public IPs to > > > real internal systems on non-routable 10.x.y.z, 172.16.a.b or > > > 192.168.c.d addresses, therefore the problem never arises (since people > > > across the Internet can't send packets to the real private addresses > > > even if they knew what they were). > > > > > > There isn't a "better" way to redirect traffic to other IP addresses, > > > however why do you think it's a problem for people to use the "real" > > > address instead of the one you're telling them to use. They have > > > access to the machine, so why does it really matter which address they > > > use to connect to it? > > > > The problem is that many hosts, with this setup, actually is connected to > > the internet using a public ip, and beeing able to resolve internal > > ip-information is not good. > > Now I'm confused. (Easily done...) > > Were the 192.168.x.y addresses you gave in your original posting accurate, > or just examples, and you are now saying that the source machines are > actually systems out on the Internet somewhere with real public IPs? > > Please clarify - who are you worried about discovering the real internal IP > addresses of your machines, and where are they located on the network? > Can they really send packets to the private IP address as you outlined in > your original posting? > > My expectation is that people "out on the Internet" cannot connect to your > private IPs (because the addresses are non-routable), therefore the > question doesn't arise for them. People associated with your local > network (ie: inside your connection point to the Internet) surely aren't a > problem even if they do discover the real private IP address? Or am I > missing something here about what you are trying to secure from whom? > > Hope that's clear.... > > Regards, > > Antony. Actually I can see one other horrible possibility --- an ISP with a \28 net -- where the internal network of the ISP is by neccesity a non routeable address space, and is natted within the \28 netowork ... or where subscribers are all on non routeable addresses and primary connection services are on the \28 space.... Alistair.