[Leaplist] IPCop question

Ray Brunkow ray at brunkow.ws
Sat Jan 10 13:54:36 EST 2009 

John Simpson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 2009-01-09, at 2242, Ray Brunkow wrote:
>>
>> I am soon to have a need to map a set of ports to more then one 
>> internal IP.  My current setup is simple RED/GREEN nothing fancy.  
>> Just simple configuration with a semi-custom iptables for blocking of 
>> specific ports for windows viruses and several known mal/spyware URLs 
>> IP ranges.
>>
>> My thought was to add BLUE to the IPCop, yes I have the NIC and the 
>> system can handle a 3rd NIC, but then if i do that, how can i 
>> configure apple file sharing to connect the 2 computers?
>
> two questions:
>
> first question: why blue? the rules which ipcop builds for a blue 
> segment are designed around the idea of connecting it to a wireless 
> access point. i won't say that blue is useless as a wired segment, but 
> it does bring some special conditions with it- conditions which make 
> it perfect for a wireless access point, but can cause problems for 
> wired clients if you don't know about them. blue and green segments to 
> NOT act the same as each other.
>
> second question: why do you feel the need to add a third segment in 
> the first place?
>
> the usual reason for adding an addition segment is so you can have 
> web, mail, DNS, or other servers on an orange segment, where the 
> outside world can access them (subject to the rules you've created), 
> while the workstations are on a green segment, and cannot be directly 
> access from outside, OR FROM THE ORANGE SEGMENT.
>
> the idea is that if a bad guy manages to take over your web server on 
> orange, they still don't have access to your green machines.
>
>
>> One acts as a media server for the other, both are running OSx (one 
>> 10.4 as the client one 10.5 as the server neither OSx server vs as 
>> all i am doing is simple file sharing for media out put to my TV in 
>> the living room).
>
> why does any of this need to be accessible from outside at all? to me 
> this sounds like you should just put both machines on the green 
> segment, and not worry about orange or blue segments or any kinds of 
> port mappings at all.
>
Yes, that is how they are now, but my issue is mapping the same ports to 
both systems.  As far as I know you can only map 1 or a set of ports to 
1 internal IP.

example:  port 22 can only map to 192.168.1.2 for an example and can not 
be made to connect to either 1.2 or 1.3.  Is that correct?

That was my thinking behind asking about adding BLUE to my IPCop.
>
> - ----------------------------------------------------------------
> | John M. Simpson    ---   KG4ZOW   ---    Programmer At Large |
> | http://www.jms1.net/                         <jms1 at jms1.net> |
> - ----------------------------------------------------------------
> | http://video.google.com/videoplay?docid=-1656880303867390173 |
> - ----------------------------------------------------------------
>


-- 
Raymond L. Brunkow
5th Degree Black Belt
Certified Instructor
Choong Sil Kwan TaekwonDo Federation


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Leaplist mailing list