[prev in list] [next in list] [prev in thread] [next in thread]
List: fwknop-discuss
Subject: Re: [Fwknop-discuss] Help for NAT support details.
From: "Marius Rugan" <mariusrugan () gmail ! com>
Date: 2008-02-29 18:12:22
Message-ID: 5be664990802291012o47746816qecf849cb9f7263d8 () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
have you tried the
--Spoof-src <IP>
"Spoof the source address from which the *fwknop* client sends SPA packets.
This requires root on the client side access since a raw socket is required
to accomplish this. "
or
incorporate the ip with
--Server-cmd <cmd>
my small setup works so should work for you also.
i'm spoofing from the wi-fi LAN through the wi-fi router (mine runs OpenWrt
Linux - resembles your nat box) to the main gateway of my small network
(debian - running ssh)
laptop (192.168.1.X) - wifi (192.168.1.1) - gw box (192.168.254.X)
On Fri, Feb 29, 2008 at 5:03 PM, Abhishek Rahirikar <
me_rahirikar@yahoo.co.in> wrote:
> Hi all,
>
> OK, so I was completely ignoring the -R option for resolving the
> external IP address.
> But after performing -R on different PC's in my small internal network are
> obviously giving me same external IP. So now if I send an SPA packet to
> fwknop daemon from my internal PC with -R then my whole internal network
> will get access to whichever service is protected.
>
> > Now if we give access to the source of the packet that is NAT address
> only
> > then all machines internal to the NAT will have access to the SSH
> service
> > and is clearly not what we want.
>
>
> So is there any method by which we can give access to specific
> internal IP?
>
> Thanks,
> Abhishek
>
> ------------------------------
> Unlimited freedom, unlimited storage. Get it \
> now<http://in.rd.yahoo.com/tagline_mail_2/*http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html/>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
>
[Attachment #5 (text/html)]
have you tried the<br><br>--Spoof-src <IP> <br>"Spoof the source \
address from which the <b>fwknop</b>
client sends SPA packets. This requires root on the client side access since a raw \
socket is required to accomplish this. "<br>or<br>incorporate the ip with \
<br>--Server-cmd <cmd><br>my small setup works so should work for you \
also.<br><br>i'm spoofing from the wi-fi LAN through the wi-fi router (mine runs \
OpenWrt Linux - resembles your nat box) to the main gateway of my small network \
(debian - running ssh)<br> laptop (192.168.1.X) - wifi (<a \
href="http://192.168.1.1">192.168.1.1</a>) - gw box \
(192.168.254.X)<br> <br><br><div class="gmail_quote">On Fri, Feb 29, 2008 at \
5:03 PM, Abhishek Rahirikar <<a \
href="mailto:me_rahirikar@yahoo.co.in">me_rahirikar@yahoo.co.in</a>> wrote:<br> \
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); \
margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><table border="0" cellpadding="0" \
cellspacing="0"><tbody><tr><td style="font-family: inherit; font-style: inherit; \
font-variant: inherit; font-weight: inherit; font-size: inherit; line-height: \
inherit; font-size-adjust: inherit; font-stretch: inherit;"> Hi \
all,<br><br> OK, so I was completely \
ignoring the -R option for resolving the external IP address.<br>But after performing \
-R on different PC's in my small internal network are obviously giving me same \
external IP. So now if I send an SPA packet to fwknop daemon from my internal PC with \
-R then my whole internal network will get access to whichever service is protected. \
<br> <div class="Ih2E3d"> <br>>
Now
if
we
give
access
to
the
source
of
the
packet
that
is
NAT
address
only<br>>
then
all
machines
internal
to
the
NAT
will
have
access
to
the
SSH
service<br>>
and
is
clearly
not
what
we
want.<br><br><br></div> \
So is there any method by which we can give access to specific internal \
IP?<br><br>Thanks,<br>Abhishek <br></td></tr></tbody></table><br>
<hr size="1"> Unlimited freedom, unlimited storage. <a \
href="http://in.rd.yahoo.com/tagline_mail_2/*http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html/" \
target="_blank">Get it now</a>
<br>-------------------------------------------------------------------------<br>
This SF.net email is sponsored by: Microsoft<br>
Defy all challenges. Microsoft(R) Visual Studio 2008.<br>
<a href="http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/" \
target="_blank">http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/</a><br>_______________________________________________<br>
Fwknop-discuss mailing list<br>
<a href="mailto:Fwknop-discuss@lists.sourceforge.net">Fwknop-discuss@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/fwknop-discuss" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/fwknop-discuss</a><br> \
<br></blockquote></div><br>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic