Date: Thu, 23 Dec 2004 14:07:01 -0800 From: "Bruce A. Mah" <bmah@freebsd.org> To: Andrew Heyn <aheyn@jmsent.com> Cc: freebsd-net@freebsd.org Subject: Re: Quick question about the tired ipf/ipnat/"dmz"/bridge scenario Message-ID: <1103839621.43102.75.camel@tomcat.kitchenlab.org> In-Reply-To: <CLELJKHKLJLNMNHGHFIDOEBLCAAA.aheyn@jmsent.com> References: <CLELJKHKLJLNMNHGHFIDOEBLCAAA.aheyn@jmsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-Bm+ktHMk0GQq+PpJM/UI Content-Type: text/plain Content-Transfer-Encoding: quoted-printable If memory serves me right, Andrew Heyn wrote: > Quoting http://www.moatware.com/support/docbook/faq-bridge.html, >=20 > 10.8. Why can't hosts on a NATed interface talk to hosts on a bridged > interface? > This frequently happens when someone wants to bridge an interface to thei= r > WAN to use it as a DMZ, and wants to put all of the hosts on their LAN > interface behind a NAT. This is actually a fairly reasonable and natural > thing to want to do. Interesting. This text is part of a document that appears to be, almost verbatim, copied from the documentation from m0n0wall, a FreeBSD-based firewall package. The original is at: http://m0n0.ch/wall/docbook/ I have some thoughts about this, but they're way off-topic for this list. > The problem here is that ipnat and bridging (at least as implemented in > FreeBSD) don't play well together. Packets from the LAN to the DMZ go out > just fine, but in the other direction, it seems like the packets arriving= on > the unnumbered bridge interface don't get looked up correctly in the ipna= t > state tables. >=20 > I've managed to convince myself that solving this is Really Really Hard > (TM). The irritating thing is that there's no theoretical reason why this > should be difficult...it all comes down to implementation details. >=20 >=20 > Is there any way at all, even with kludges, to get this to work? I'd be > extremely interested if there was any to accomplish this, as specified > above. I wrote this after I implemented m0n0wall's filtered bridging feature and had about a dozen people ask me this question, which is a reasonable question to ask, but tiring after you've heard it more than about five times. :-p My memory is a bit hazy but I think the problem was ipnat doesn't know that packets arriving on the unnumbered bridge interface need to have inbound NAT stuff done to them. It would need to know or figure out that the inbound interface was in a bridging group and that one of the other interfaces in the group was the interface being used for outbound NAT packets. I bet one could probably get this to work, if they were willing to hack up IPFilter and get it to understand the bridge(4) data structures. Bruce. --=-Bm+ktHMk0GQq+PpJM/UI Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBy0GF2MoxcVugUsMRAoJJAJ90yNpqTsjvgK65R+VO7SekOek2nACdHYz7 KtxV4XZY6MedNh1B6/TykKg= =4U+H -----END PGP SIGNATURE----- --=-Bm+ktHMk0GQq+PpJM/UI--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1103839621.43102.75.camel>