[Dshield] How do I determine NAT address

Aaron Lewis aaron at adldatacomm.net
Sat Mar 19 22:42:33 GMT 2005

Been there done that


-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org]On Behalf Of Henry Hertz Hobbit
Sent: Saturday, March 19, 2005 1:01 PM
To: General DShield Discussion List
Subject: RE: [Dshield] How do I determine NAT address

On Fri, 2005-03-18 at 04:42, Lauro, John wrote:
> I have java, and it doesn't work.  It states I am behind firewall, but
> only gives the IP address of my proxy server.  It also states I am on
> Windows XP with service pack 2, however I am on Windows XP, but do
> have service pack 2...
> > You can do this in Java as demonstrated at http://www.amihacked.com/
> >
> > Of course, this means the end user must have Java installed.

Will the original poster of this thread please clarify this
for us?  Obviously, we have the above situation protecting John
(who may have some registry setting or something else protecting him).
But John is running Java, or is he?  By default, I ALWAYS have Java
turned off, and turn it on only when necessary.  After I get through
using it I turn it right back off (I use Firefox on Linux).  If you
are going out to the Internet a lot, I advise you do exactly the same
thing, but I KNOW that it is IMPOSSIBLE to ask a normal user to do
that.  They will forget or just leave it on.  If they are using IE,
it is problem to do it that way anyway for a NORMAL user.  Actually
it might be difficult even for a NORMAL user to do it with Firefox.

The reason I am asking for the clarification was because I originally
was going to recommend a transparent firewall:


When you set BSD (if you think you can do it with Linux or Windows,
be my guest) up this way, the firewall doesn't even have any IP
addresses.  That in effect makes it a bridge.  The internal IP
addresses are NOT hidden.  The firewall IS invisible past the next
router, since at that point the MAC address was swapped to the
outgoing router MAC address interface.  Nevertheless, none of the
internal addresses are hidden.  Actually, unless you are a network
person the firewall is essentially hidden and you can use SNORT
and PF to record almost everything.

>From what I read though, this may not work and I don't know how
technically literate the person is (other personal qualities
usually win out over technical brilliance for candidates for
jobs) with various versions of Unix.  If they are primarily a
MS Windows person I wouldn't recommend it at all.  Even if you (NOT
the original poster) are coming from the Linux world and are using
iptables, used ipchains, and before that ipfwdm (sp.?), PF is still
not for the faint of heart.  On the other hand, if you are a SNORT
expert and have worked with various BSDs, be my guest.

I am still a little confused what the original poster wanted and
this solution may be NOT what they want anyway.  What is confusing
me is that he seems to be using NAT INTERNALLY, rather than at the
interface point with the world (EXTERNALLY). If it is internal,
what I proposed would be okay.  If it is their external interface
and they want to use NAT to hide their internal address space
(usually because they have only one external IP address but you
usually want to protect your internal IP address space), then this
is NOT a good solution.  I suspect this is the case, and that is
why I have kept my fingers away from the keyboard.

Key Name:  "Henry Hertz Hobbit" <hhhobbit at comcast.net>
pub   1024D/1CC23BC0 2005-03-08 [expires: 2006-03-08]
Key fingerprint = 9CD0 839E 79C9 5E20 B97A 15A6 9AB7 484D 1CC2 3BC0

-------------- Sponsor Message ------------------------------------
Join us at SANSFIRE 2005 in Atlanta!
The Internet Storm Center Conference.
Details: http://www.sans.org/sansfire2005

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list