From owner-freebsd-ipfw Tue Jan 22 9:24: 5 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.palnet.com (mail.palnet.com [217.66.226.37]) by hub.freebsd.org (Postfix) with ESMTP id 9E9D537B402 for ; Tue, 22 Jan 2002 09:23:39 -0800 (PST) Received: from Stinky.palnet.com (dogbert.palnet.com [192.116.17.51]) by mail.palnet.com (8.11.1/8.11.1) with ESMTP id g0MHFNf07341; Tue, 22 Jan 2002 19:15:23 +0200 (IST) Message-Id: <5.1.0.14.0.20020122192225.00b4c9c0@mail.palnet.com> X-Sender: mustafa@mail.palnet.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 22 Jan 2002 19:23:03 +0200 To: Ramiro =?iso-8859-1?Q?V=E1zquez?= , From: "Mustafa N. Deeb" Subject: Re: Using ipfw to make a "Dynamic NAT depending of protocol L7" In-Reply-To: <008101c1a368$f23b1890$1500a8c0@corp.megared.net.mx> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG well, the msn guys, say that MSN behind private addressing wont' work unless you use a socks server.. ONLY... CHeers At 11:19 AM 1/22/2002 -0600, Ramiro V=E1zquez wrote: >Hi, > > We work at a cable-ISP and we are using NAT & PAT to provide enough IP >Addresses to our customers. > > We have experienced problems with certains applications, mostly with >peer to peer applications like MSN Messenger. > Some features like send files function don't work. > We put a sniffer and discover that when one of our customer try to= send >a file to someone out of our net does this: > 1.- The application opens a port ( 6891-6899 ). > 2.- Sends the IP of the machine ( the private IP ) and the port that= is >listening. > 3.- The another peer try to connect to the private IP and the port= that >it had received. > 4.- The connection fails. > > We modify a proxy to change the packet that the application sends with >the private IP and the local port to replace them for a public IP and >another port, then the proxy sends this changes to an application that just >maps or forwards the port that we sent to the peer outside to the real IP >and port of our costumer. > > This solution works and we going to begin with the test with more >connections, but maybe is not the best solution, one disadvantage is that >the costumer must to specify a proxy and it's a hard work. > > We think that if we could make this changes with ipfw or ip-filters= and >then add a rule to natd or ip-nat to forward the port, it would be more >efficient. > > Then we can redirect the traffic of MSN to ipfw or ip-filters and make >all transparent to our costumers. > > We think that we can do this for the most important applications to >solve this problem, and its very important because we use a lot of PAT and >many applications can't work with the complete features. > > Is it possible make this with ipfw ?? Is anybody working arround= this >?? > > Any idea or comment would be helpful !! > > Thanks. > >Ramiro Vazquez >Megacable > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message