RE: Firewalling and MASQ

Eric Kluft (
Thu, 9 Dec 1999 21:41:47 +0100

If you send a packages to a server through a masqing server, the following

the internal client sends a package with:
his own ip nr,
the ipnr of the external server he wants to connect to,
his own local port,
the port of the external server he wants to connect to.

This package arrives at the masqing server. This server replaces:
the ip nr of the client by it's own external ip nr,
the source port of the client by his own source port.
and sends the packages to the remote server.
The masqing server adds the fact that he sent a package for that internal
client (with local port x, remote port y to server z) to a list.

If the masqing server receives a package, it looks at the source port,
destination port and destination ip of the package. If he finds this data in
the list, he forwards the package to the client (after replacing dest ipnr
en dest port).
If it is not found in the list the normal routing / firewall rules apply.

You'll agree with me that it's extremely hard to attack a client behind a
masqing server. Extra deny policies or programs are really unnecessary.


-----Original Message-----
From: Stephen L. Favor []
Sent: Thursday, December 09, 1999 8:34 PM
To: Glynn Clements
Subject: Re: Firewalling and MASQ

Glynn Clements wrote:

> Stephen L. Favor wrote:
> > I would like to configure a box to forward only TCP and
> > UDP packets associated with a MASQ session and I can't quite
> > figure out a way to do it. I can open 61000:65096 to the world
> > and MASQ works fine, but I would prefer only let the ports with
> > active sessions through the firewall. Can anyone tell me how to
> > do this?
> Replies to masqueraded packets pass the forwarding chain
> automatically, so you can just configure the forwarding chain to
> reject all inbound packets.

Interesting but (unless I'm missing something) I need to block these
with the input filter. At that point, packets bound for the router
host and packets bound for MASQ-forwared hosts have the same IP. If
I let them pass so they will deMASQ, I also let potentially malicious
packets bound for the local host in. These hit the "Routing
Decision" phase and go right to a local process. What I really need
is for there to be another FW chain consulted for local packets after

The only way I've figured out to do this is to write a deamon that
uses the netlink device and a user program to add an entry in the
FW to allow packets on a per-port basis every time it sees a connect
request pass the MASQ forward rule and remove the entry whenever the
disconnect occurs or it no longer appears in /proc/.../*_masq.

To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to