[TriLUG] counting NAT'ed hosts on the Internet
Greg
gregbrown at mindspring.com
Thu Feb 6 11:28:19 EST 2003
Did anyone else see the article on slashdot yesterday about counting
hosts on the Internet behind NAT'ed firewalls?
<"http://slashdot.org/articles/03/02/05/2129218.shtml?tid=95">
I just finished reading the article and the author didn't really touch
on tunneled or IPsec clients behind firewalls. The article centers on
looking at the IP ID fields in each packets. Most OSes put a
incremental number in the IP ID field to handle fragmentation of packets
once they leave the host. The author developed some software to give a
rough estimate of how many hosts are behind a NAT box by looking into
the IP ID fields.
But he really didn't touch much on tunnels and IPsec (but I only skimmed
the article, but I don't think he talked about it). Anyway, take the
scenario I set up a while for a local small office:
1. Linux firewall - loaded with squid and ssh
2. machines on the LAN (macs, in this case) created a tunnel to the
firewall using SSH. The purpose of this was to encrypt web traffic
which was floating around over 802.11b network. Web browsers were
configured to use a proxy (in this case 127.0.0.1 and port 8080). Squid
was listening on port 8080 and when the client requested a webpage, it
went from the browser to port 8080 on local 127.0.0.1 where SSH picked
it up, encrypted the packet, delivered it to the firewall (and squid)
where squid then sent the packet along via port 80 on the firewall.
In the case outlined above I would think that the firewall would then
re-write every packet since the proxy server was actually doing all the
network queries. It seems that this would be the case, but I don't have
a protocol analyzer lying around to test this out.
What do you think? Yes?
What about IPsec? If the Mac clients were configured via ipfw to allow
ONLY protocols 50 and 51 and port, uh, whatever the IPsec TCP port is,
and the firewall supported IPsec and the Macs could connect via a IPsec
client to the firewall then ALL the packets on the network, regardless
if they were staying on the LAN or hitting the Internet/WAN, would have
IP ID fields set only by the IPsec Firewall. Correct?
Just curious.
Greg
More information about the TriLUG
mailing list