Method of passing bi-directional data between two firewalls.

 

 

John L. Sokol 6/3/02

 

 

(Server A)—(Firewall)

                |    

                X

                |   

(Server B)—(Firewall)

 

Under normal circumstances, neither firewall will allow the other to make an external connection into its protected network.

 

 

Below is a was I found for doing this based on a third external server that helps establish the connection but doesn’t carry any of the data.

 

 

Step 1

 

(Server A)—(Firewall)--\

                        \

                     (Server C)

                      

Server A can connect to C through the firewall.

 This works for TCP and in most cases UDP packets.

 

 

 

Step 2

 

(Server A)—(Firewall)--\

                        \

                     (Server C)

                        /

(Server B)—(Firewall)--/

 

 

Server B can also establish a connection to C.

 

At this point A can send messages to B through C.

More importantly the NAT or Firewall has created a forward and reverse “MAPPING” from A to C and from B to C for either UDP and/or TCP protocols.

 

Step 3

 

(Server A)—(Firewall)--\

               /|\      \

                |   (Server C)

               \|/      /

(Server B)—(Firewall)--/

 

 C can now send the Mapped source IP and port for Server A to Server B through the firewall and also for B to A.

 

At this point A can send “SPOOFED” packets with packet headers as if I were C talking to B. These packets would be routed through the firewall to B and B could also do the same allowing a reverse path.

 

At this point server C would no longer be needed.

 

This requires the NAT/Firewall not “RE-MAP” packets who’s source IP are not from the internal network. And may require further testing. I have only tested this on FreeBSD’s NAT and Linux’s IP Masquerading in the previous century.