[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Nufw-users] ACL -> NAT
|
From: |
Eric Leblond |
|
Subject: |
RE: [Nufw-users] ACL -> NAT |
|
Date: |
Mon, 27 Nov 2006 19:54:23 +0100 |
Le lundi 27 novembre 2006 à 10:34 +0000, address@hidden a
écrit :
> Hello,
>
> OK I find where is the probleme: My friends as most people use a box
> and are nated.
>
> when user authentificate with nutcpc nuauth see the Public IP (I like)
> But when nutcpc wants to authentificate a packet I send to nuauth the
> local IP (bad, very bad).
> I tried to play with nuauth options but nothing
>
> Questions: An option exist?
No ...
> For me solution will be nuauth replace the IP send by nutctc (when It
> try to authentificate a packet) by the IP with the IP Public of this
> client.
The problem is that the source port can also be changed by the firewall
(on the box). Thus a simple change of the source IP is not enough.
But it could be enough in small scale network where source port isnot
changed.
> I explain user toto authentificate with nutcpc , nuauth say user toto
> connect with IP 82.246.224.203.
> toto try to connect with ssh (by exemple) nuauth says toto try to
> authen.. a packet with an other ip (192.168.1.2)
>
> -> nuauth knows that IP of toto is 82.246.224.203 => when toto send
> 192.168.1.2 nuauth replace the first by the second IP.
>
> I don't see security problem => this options exist.
There is a security issue when running NuFW over an untrusted network,
see :
http://www.nufw.org/eficaas/eficaas_algo_proof.pdf
If you are ready to take the risk then your solution should work in most
cases.
> For moment I cant't use nufw => all people are behind a bow (exept for
> Local networks).
This is clearly a problem.
>
> If this option doesn't exist, can you tell me what are the files used
> for this. I will try to modify the source.
You can have a look at function userpckt_decode in user_authsrv.c line
456 and below...
BR,
--
Eric Leblond <address@hidden>