Date: Thu, 23 Feb 2006 05:36:51 -0600 From: "Travis H." <solinym@gmail.com> To: "Greg Hennessy" <Greg.Hennessy@nviz.net> Cc: freebsd-pf@freebsd.org Subject: Re: Dirty NAT tricks Message-ID: <d4f1333a0602230336t5d29532fp704af80b67e58cfb@mail.gmail.com> In-Reply-To: <000001c637b3$a54b0a70$0a00a8c0@thebeast> References: <1140612265.5617.25.camel@localhost.localdomain> <000001c637b3$a54b0a70$0a00a8c0@thebeast>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2/22/06, Greg Hennessy <Greg.Hennessy@nviz.net> wrote: > How is this a problem ? Surely the default route is through the tunnel > interface when the tunnel is up ? Yes, but a more-specific route (the locally attached network) takes precedence over the default. And he can't change that or he won't be able to get his packets out of LAN. His iptables rules change the destination IP temporarily, just for routing purposes. By the way, if setting up a network with RFC 1918 addresses, I recommend choosing something from within 172.17-31.x.x --- for some reason very few people choose the class B, whereas 10/8 and 192.168.x are much more popular. OP: As Brian Candler pointed out, you can do this with a binat to a fictitious network on the client, then a binat back on the VPN server. I don't know what he means by "reversing the in/out sense", as binat is bidirectional. -- Security Guru for Hire http://www.lightconsulting.com/~travis/ -><- GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d4f1333a0602230336t5d29532fp704af80b67e58cfb>