Re: Company Firewall's IP Address

[Bill Hamel <billh () bugs hamel net>]

Ya know, if I didn't know any better I would think this thread is going in
the direction of confusing the 'basic-security' reader.

A. At the routing level packets will ALWAYS go to the next-hop which may
not be the final source or destination, so the first part of your
statement makes some sense.

B. The second part does not make sense. What does "Extrapolate proxies"
have to do with how something is going to route on the net ? Since this is
a Basic-Security forum, please enlighten me. I am always willing to learn
something new.

The original user had a window pop up in a browser that showed him the IP
address of the external interface of the firewall.

This is absolutely normal if you "Extrapolate" what is going on.

The user opens up his/her browser on their desk top. Their desktop has an
internal IP address. The firewall translates this into and Externally
routable IP address which lives on the external interface of the firewall.

Once that packet is fired off to it's destination it typically goes
through multiple hops (see "Traceroute") to get there. It needs a return
path back to the external interface of the firewall hence the IP address
MUST be available to the destination.

IMHO a "Proxy" has nothing to do with this see "Basic Routing Principals"
;)


-bh





On Mon, 18 Nov 2002, Meritt James wrote:

> The packets do not have to go directly to the source IP.  They have to
> get to something that can get them to something... that can get to the
> source IP.  Extrapolate proxies.
>
> Jim
>
> Bill Hamel wrote:
> > Then routing wise, how do the packets find their way back to the firewall
> > if they don't know the source IP ? ?
> >
> > On Fri, 15 Nov 2002, Meritt James wrote:
> >
> > > Such is not the case.  I've done otherwise.
> > >
> > > Bill Hamel wrote:
> > > > Unless I am missing something in the question, no matter what you do,
> > > > what/whoever you connect to through a firewall will always know the IP
> > > > address of the the trusted interface of the firewall.
> > > >
> > > > -bh
> > > >
> > > > On Wed, 13 Nov 2002, Meritt James wrote:
> > > >
> > > > > "an" IP Address - not necessarily the originating individual.  There are
> > > > > a LOT of ways around that.
> > > > >
> > > > > Jim
> > > > >
> > > > > Leonard.Ong () nokia com wrote:
> > > > >
> > > > > > There is nothing new about finding your IP Address and display it on the web page.
> > > > >
> > > > > --
> > > > > James W. Meritt CISSP, CISA
> > > > > Booz | Allen | Hamilton
> > > > > phone: (410) 684-6566
> > >
> > > --
> > > James W. Meritt CISSP, CISA
> > > Booz | Allen | Hamilton
> > > phone: (410) 684-6566
>
> --
> James W. Meritt CISSP, CISA
> Booz | Allen | Hamilton
> phone: (410) 684-6566