Date: Sat, 18 May 1996 15:15:43 -0700 (MST) From: Terry Lambert <terry@lambert.org> To: ejs@bfd.com (Eric J. Schwertfeger) Cc: terry@lambert.org, archie@whistle.com, dwhite@riley-net170-164.uoregon.edu, clintm@ICSI.Net, FreeBSD-Questions@freebsd.org Subject: Re: ip masquerading Message-ID: <199605182215.PAA24841@phaeton.artisoft.com> In-Reply-To: <Pine.BSF.3.91.960518105811.17730A-100000@harlie.bfd.com> from "Eric J. Schwertfeger" at May 18, 96 11:07:09 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > Which is to say, you turn on IP forwarding by default (which is illegal) > > and rewrite the packet source headers on the way in and out (which is > > also illegal). > > > Writing a socks client that hooks to a tunnel driver on the machine > > that needs the masquerading is a better solution, and it doesn't > > require kernel hacks to get there (or source hacks for statically > > linked binaries, like normal socks does). And it does it without > > violating the world. > > > > I guess you would need to write a tunnel client daemon (instead of > > putting in about twice as much work to write IP masquerading, as > > well as dragging the poor kernel into the mess). > > > > Seems like that would provide the same capability for less effort > > with fewer drabacks -- but would require an OS (like FreeBSD) with > > tunnel drivers to make it work. > > And as I've said before, Sorry, I don't have the source to Win95, so I > can't do that. I agree that masquerading isn't a fix-all, or even the > prefered method of handling this, but until Socks5 is to the point that > it can "socksify" programs that I don't have source for, without > interferring with regular operations, and do this under OS/2, Windows > 3.X, NT, and Win95, then my choice is to run linux on our firewall and > use masquerading, or to spend a few weeks of time that I haven't got > figuring out how to proxy a bunch of non-standard services for apps that > I haven't got source for. Huh?!? Splain it to me. If I have a FreeBSD box that has a socks client daemon on it an options gateway is turned on, then incoming packets from the ethernet interfaces are considered in one of two lights: 1) Destined for the local net 2) Destined for other than the local net If there is a local net route, such that local packets are sent to the local ethernet, and non-local packets are forwarded to the tunnel device (the default route), which then "socks'ifies" them onto another local net, then the socks client and daemon can run on the same box. Which then forwards non-locally generated packets for the real net to the default interface for the non-local subnets (it does this because you are running gated). So IP packets from you local net 'A' get socksified to local net 'B' and local net 'B' traffic fro the real net comes from the socks host and is routed via the PPP interface. So you source route. I don't see what's so hard to understand. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605182215.PAA24841>