Re: dirty packet tricks?

[Barney Wolff <barney () tp databus com>]

Maybe I'm not understanding the problem correctly, but why can't a
box with the standard (for FreeBSD) ipfw/natd combo do what you
want? Let there be a router with a /32 route to the target via one
interface of the box and the other interface be connected to the
firewall.  All packets from inside to 16.67.32.1 flow through the
NAT box on the way to the firewall.  Packets going the other way
go to the outside interface of the box and get de-NAT'd, then flow
to the real inside destination.  If the firewall is not under your
control, the packets can be re-merged in a second router before
reaching the firewall.  If you can't control the inside routing,
how could you ever force packets to come to your box in the first
place?

Since the firewall is NATing, packets will get NAT'd twice.  So?

On Wed, Jul 10, 2002 at 10:59:17AM -0400, Marcus J. Ranum wrote:
> 1) our network is 10.10.10.0/24
> 2) our "target" machine is 16.67.32.1/32 port 23
> 3) there is a router/firewall on the edge of 10.10.10.0 that blocks all
>       traffic to 16.67.32.1
> 4) the router/firewall _allows_ traffic from one machine (our mystery
>       box) to the target 16.67.32.1 port 23
> 5) all machines on network 10 that try to talk to 16.67.32.1 port 23
>       should get the connection "stolen" from our machine, which
>       should connect to the _real_ 16.67.32.1 and get packets back
>       and forth

-- 
Barney Wolff
I never met a computer I didn't like.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards