Date: Tue, 8 Aug 2000 19:33:38 -0700 (PDT) From: Benjamin Gavin <virtual_olympus@yahoo.com> To: Ruslan Ermilov <ru@sunbay.com> Cc: freebsd-net@freebsd.org Subject: Re: NATD and non-UDP/TCP packets Message-ID: <20000809023338.12896.qmail@web311.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hi, I'm responding to both of these responses (Mostly because then I can keep my thoughts a little more coherent), so bear with me :). First: --- Ruslan Ermilov <ru@sunbay.com> wrote: > > these functions, or is there any possibility that these protocols will > be > > included in future NATD versions? > > > You can redirect a particular IP protocol with -redirect_proto rule, or > any protocol with -redirect_address rule. > I'm using 3.5-STABLE, and this "redirect_proto" doesn't exist in natd. Is this an old/deprecated feature, or a new feature of 4.0+?? Does the redirect_proto command (assuming I can use it :) ) only allow for redirection to a single host, or will is perform standard nat on any protocol (sans port)? The redirect_address is not an acceptable solution. The reason I ask is because of the second response I got, which is what I was expecting (and hoping wasn't the case). > Please refer to libalias(3) manual page, section CONCEPTUAL BACKGROUND, > for > more details. Thanks, I'll take a look. -------- Reply to second message >> What are the fundamental differences between ESP/AH and TCP/UDP? > Are >> they inherently more complicated to translate, > >They are designed to be cryptographically secure, and hence, >impossible to NAT. If you want to do NAT, you'll have to terminate >the SAs at the boundary and create an appropriate new set for the >``public'' side. > >-GAWollman Hmmmm... I may be going braindead (P.S. What's an SA?), but will this be possible on the same firewall box?? How will the routing work, even assuming I can get the proper clients for FreeBSD? (Now: I've thought about it more, and do you mean setting up a server-server tunnel, then routing traffic through it and not having the clients have tunnel software installed?? I'm not concerned about the traffic on the local nets, just across the internet. I've done that type of thing before, but I don't know if it will apply to this problem :( ). It may be appropriate to include (which I missed in my original message) that I am running FreeBSD 3.5-STABLE (mentioned earlier), and that I am trying to get the Cisco SafeNet VPN client (yes, I would prefer something else, but I don't have a choice) working from behind it. Cisco doesn't seem to know whether this combination will work (at least none of their on-line docs say it won't), so I am optimistically assuming it can be done. Any creative ideas (and I'm not against hacking the natd daemon)?? Of course, I would prefer if someone had gotten it working and that they just share their secrets :). Thanks, Ben __________________________________________________ Do You Yahoo!? Kick off your party with Yahoo! Invites. http://invites.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000809023338.12896.qmail>