RE: Domain login through a NAT / FW?

Unless you have reason for the current arrangement, move the domain controller in front of the NAT box, and they should be able to connect fine. It will also mean that you can log login attempts to your domain by IP.

I can also vouch for squid. You will notice a HUGE difference in your bandwidth use, and you also don't have to worry about sites like friendgreetings.com. Just be aware that it will need a bit of tweaking so your users can access the sites needed for work.

Benjamin Meade
Systems Administrator
LanWest Pty Ltd

-----Original Message-----

From: Quentin Hartman [mailto:qhartman@lane.k12.or.us] Sent: Tuesday, 19 November 2002 2:36 AM
To: security-basics@securityfocus.com
Subject: Domain login through a NAT / FW?

Colleagues-

         I am currently dealing with the following problems on a network a
recently inherited:

-Spurious bandwidth use (mostly from P2P applications) that is impacting

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

other critical applications
-Clients are using public IP's and running rogue services, which have no

legitimate need to.
-No way to contain problem machines

         I plan to address these issues by moving most of the clients behind IP-Tables based NAT servers / firewalls, BIND DNS caches, and (possibly) Squid web caches.

         One problem I am running into in testing this setup is that clients are not able to authenticate to the domain controller on the other
side of the NAT box. In writing this it occurred to me that I probably need
to setup the NAT machine as a WINS proxy. Am I on the right track? Do any
of you have suggestions for superior methods to address the problems mentioned above? Is there another list you would suggest posting this to

that may be more appropriate than this one? I have prayed to google repeatedly and not come up with anything relevant yet. The NAT boxes are

Linux Redhat 7.3, the domain controller is NT 4 (soon to be RH as well),

and the clients are windows 98se.

-Regards-

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

-Quentin Hartman-

 Computing and Networking Services Coordinator Fern Ridge School District 28J
Elmira, OR
Office: 541-935-2253 x429
Cell: 541-914-2989
qhartman@lane.k12.or.us
www.fernridge.k12.or.us Received on Mon Nov 25 16:49:47 2002