Return to ecip.com
Method of passing bi-directional data between two firewalls.
John L. Sokol 6/3/02
Under normal circumstances, neither firewall will allow the other to make an external connection into its protected network.
Below is a was I found for doing this based on a third external server that helps establish the connection but doesn’t carry any of the data.
Server A can connect to C through the firewall.
This works for TCP and in most cases UDP packets.
Server B can also establish a connection to C.
At this point A can send messages to B through C.
More importantly the NAT or Firewall has created a forward and reverse “MAPPING” from A to C and from B to C for either UDP and/or TCP protocols.
| (Server C)
C can now send the Mapped source IP and port for Server A to Server B through the firewall and also for B to A.
At this point A can send “SPOOFED” packets with packet headers as if I were C talking to B. These packets would be routed through the firewall to B and B could also do the same allowing a reverse path.
At this point server C would no longer be needed.
This requires the NAT/Firewall not “RE-MAP” packets who’s source IP are not from the internal network. And may require further testing. I have only tested this on FreeBSD’s NAT and Linux’s IP Masquerading in the previous century.