Re: [PEN-TEST] advertising private IP numbers?

["Carter, Adam" <adam () JAFTAN COM AU>]

> > That or that IP forwarding is turned on on the
> > Proxy/Firewall which is not a
> > good idea.

While that makes sense for proxies, why would it be the case for packet
filters/stateful inspectors? Since the routing code is built into the OS,
why not use it? Checkpoint on solaris uses the kernel ip forwarding to
route. It switches it on when the firewall is up and switches it off when
the firewall is stopped <grin> (you can check with ndd). Remember that the
packet filter code sits between the NIC driver and the OS's ip stack, so its
not possible to for the kernel to directly route the packet and bypass the
firewall's packet inspection.

Of course, all the checkpoint doco's say to turn off ip forwarding, but that
just so the box doesnt route when the firewall is off.

> Well, by definition, a Proxy/Firewall has to have ip forwarding turned
> on, or else it would not achieve the desired effect of passing any
> traffic.

Proxies "route" at the application layer and so they require that the kernel
does not route, or they will never see the packets.

> The other question I have, is why is this person using the reserved
> address space on a non-stub network?  I assume the hops listed as '22'
> and '23' are "real IPs" and are x'd out to protect the identity of the
> network.  If this is the case, I wonder why they'd route real IP's
> through a NAT'd network....

What makes you think its NATed?

Adam