[NCLUG] IP Masqing on the New and Improved AT&T

Eric Brunson brunson at level3.net
Tue Dec 11 13:45:43 MST 2001 

You've piqued my curiousity.  Do you think you can show us contrasting
dig outputs for the same lookup from the firewall and a masq'ed
machine.  A snoop/tcpdump of a query-response would be interesting,
also. 

Of course I'm on vacation and have time to burn, if you don't have the
free to hunt up this garbage, you seem to have a satisfactory work
around.  This would be a purely academic exercise.  Plus, you don't
know when att's bizzare setup is going to randomly start working.  I
hate that.

Academical-ly yours,
e.

* Neil Doane (caine at vasoftware.com) [011211 13:19]:
> * Eric Brunson (brunson at level3.net) on [12-11-01 09:03] did utter:
> > I'm sorry I don't have an solution for your problems and I certainly
> > don't deny that you are seeing this behavior, but from my (possibly
> > incorrect) understanding of how NATting works, I can't agree with your
> > proposed expanation for it.
> 
> Understandable.  I don't much agree with it either, but I'm at a loss to
> explain how their DNS servers can tell that the request is coming from a
> masq-ed workstation behind my firewall and not from the box connected to the
> modem.  My ipchains rules are pretty simple...
> 
> 	/sbin/ipchains -M -S 7200 10 160
> 	/sbin/ipchains -A input -j ACCEPT -i eth0 -s 0/0 67 -d 0/0 68 -p udp
> 	/sbin/ipchains -P forward DENY
> 	/sbin/ipchains -A forward -s 192.168.0.0/16 -j MASQ
> 
> I just checked again and it's still doing it...hrm.
> 
> 
> 
> Neil
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~                  
>        . /._ o /    
>       /|//- / /                                           caine at vasoftware.com	
>      / ''- / /__                                        caine at antediluvian.org
>     '                                      
> ~~ http://angryflower.com/bobsqu.gif ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> _______________________________________________
> NCLUG mailing list
> NCLUG at nclug.org
> http://www.nclug.org/mailman/listinfo/nclug


-- 
 Eric Brunson   brunson at level3.net   page-eric at level3.net  
tcA thgirypoC muinelliM latigiD eht detaloiv tsuj evah uoY

More information about the NCLUG mailing list