[linux-security] IP Filters and Masq: precisions

[Mailing Lists <mlist almerco ca>]

Hi!

>IP Masquerading, but the computers under the firewall *think* they are on
>a normal ip network.  In other words, you don't need to tell the programs
>that they are behind a firewall, they will function normally as they would
>on any network.  The only downfall is you cannot make incoming connections
>to any of those machines..but isn't that the whole idea of a firewall? :)
>Overall, it works great for me...

Ok, perhaps I misphrased a little (I'm french and sometimes.., well ok,
most of the time  struggeling with my english!) ;)  I'll CC this one the
linux-security to clarify what I meant.

I know about how masq works, I already have built one network using it.  I
have 15 computers inside my ip+masq firewall, with the fake ip c class
192.168.x.x, and 5 computers in a normal class C on the outside.  It works
great!  My only concern really is that I want to know if there is any way
for a hacker to directly connect to one of my protected computers from the
outside.  Can a java or activeX applet do the thrick?  Or if a computer
from the inside initiate a connexion to some.evil.org, can this host piggy
backs the link and access the computer from which the connection was
initially made?  That's the kind of questions I'm asking myself and haven't
seen any answers about them.  Some friend of mine says he heard of a way to
circumvent a masq firewall and access a computer inside, but that's as far
has he remembers.

Thanks!