[prev in list] [next in list] [prev in thread] [next in thread]
List: sidewinder
Subject: RE: [Sidewinder] Re: Nat acl servicegroup questions
From: sidewinder-admin () adeptech ! com
Date: 2002-12-18 3:17:38
[Download RAW message or body]
Thanks for the help. I received some very excellent explanations.
I really appreciate it.
-----Original Message-----
From: sidewinder-admin@adeptech.com [mailto:sidewinder-admin@adeptech.com]
Sent: Monday, December 16, 2002 8:38 AM
To: sidewinder@adeptech.com
Subject: [Sidewinder] Re: Nat acl servicegroup questions
<snip>
> I noticed in my acl output (cf acl q) that I have some acls that list:
> nataddr=None
> and some that have:
> nataddr=host:localhost
>
> 1. What is the difference between these two?
The nataddr setting controls the address rewriting functions. In
particular it changes the ip srcaddr from the original source address to
the address specified by nataddr.
So on an outbound connection say for http, you would probably want to
set this to localhost or another defined address, (this is required if
you are using private addressing internally i.e. 10.x.x.x) even if you
are not using private addressing this obscures the layout of your
network to some degree, which may improve security.
On an inbound connection say to an internal webserver on your ssn,
setting this to localhost means that your webserver doesn't know which
ip is actually connecting to it because the source address has been
rewritten. So, web server logs will report all connections as having
come from the firewall. If you have nat addr set to none, then all of
your logging will work correctly.
Others may disagree but I generally have nataddr set to localhost for
outbound connections and set to none for inbound connections.
>
> 2. Can two separate acls be combined into one acl with a servicegroup of two \
> different proxies if the "nataddr=" is different?
The short answer is no. The new acl for the service group will have to
have the nataddr setting defined. Since, you will only have one new acl
for the group, you can't have the nataddr setting defined both ways.
But, you may be able to combine the rules anyway, effectively changing
the nataddr setting on one of the original acls.
If you have a private, non-routable addressing system internally, then
any inbound acls may still be combined for service groups but you need
one acl per internal ip address. This is just because of the way the
nat works.
<snip>
Hope this explanation takes care of your needs! if not let me know.
Isaac Hopkins
Security Engineer
Cerz疣
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
_______________________________________________
Sidewinder mailing list
Sidewinder@adeptech.com
http://mail.adeptech.com/mailman/listinfo/sidewinder
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic