From owner-freebsd-net@FreeBSD.ORG Thu Dec 23 22:07:06 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E98AE16A4CE; Thu, 23 Dec 2004 22:07:05 +0000 (GMT) Received: from a.mail.sonic.net (a.mail.sonic.net [64.142.16.245]) by mx1.FreeBSD.org (Postfix) with ESMTP id C067A43D46; Thu, 23 Dec 2004 22:07:05 +0000 (GMT) (envelope-from bmah@freebsd.org) Received: from tomcat.kitchenlab.org (adsl-64-142-31-107.sonic.net [64.142.31.107]) by a.mail.sonic.net (8.12.11/8.12.11) with ESMTP id iBNM759a026953 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 23 Dec 2004 14:07:05 -0800 Received: from tomcat.kitchenlab.org (localhost.kitchenlab.org [127.0.0.1]) by tomcat.kitchenlab.org (8.13.1/8.13.1) with ESMTP id iBNM72oS054217; Thu, 23 Dec 2004 14:07:02 -0800 (PST) (envelope-from bmah@freebsd.org) Received: (from bmah@localhost) by tomcat.kitchenlab.org (8.13.1/8.13.1/Submit) id iBNM72ni054216; Thu, 23 Dec 2004 14:07:02 -0800 (PST) (envelope-from bmah@freebsd.org) X-Authentication-Warning: tomcat.kitchenlab.org: bmah set sender to bmah@freebsd.org using -f From: "Bruce A. Mah" To: Andrew Heyn In-Reply-To: References: Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-Bm+ktHMk0GQq+PpJM/UI" Date: Thu, 23 Dec 2004 14:07:01 -0800 Message-Id: <1103839621.43102.75.camel@tomcat.kitchenlab.org> Mime-Version: 1.0 X-Mailer: Evolution 2.0.3 FreeBSD GNOME Team Port cc: "Bruce A. Mah" cc: freebsd-net@freebsd.org Subject: Re: Quick question about the tired ipf/ipnat/"dmz"/bridge scenario X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Dec 2004 22:07:06 -0000 --=-Bm+ktHMk0GQq+PpJM/UI Content-Type: text/plain Content-Transfer-Encoding: quoted-printable If memory serves me right, Andrew Heyn wrote: > Quoting http://www.moatware.com/support/docbook/faq-bridge.html, >=20 > 10.8. Why can't hosts on a NATed interface talk to hosts on a bridged > interface? > This frequently happens when someone wants to bridge an interface to thei= r > WAN to use it as a DMZ, and wants to put all of the hosts on their LAN > interface behind a NAT. This is actually a fairly reasonable and natural > thing to want to do. Interesting. This text is part of a document that appears to be, almost verbatim, copied from the documentation from m0n0wall, a FreeBSD-based firewall package. The original is at: http://m0n0.ch/wall/docbook/ I have some thoughts about this, but they're way off-topic for this list. > The problem here is that ipnat and bridging (at least as implemented in > FreeBSD) don't play well together. Packets from the LAN to the DMZ go out > just fine, but in the other direction, it seems like the packets arriving= on > the unnumbered bridge interface don't get looked up correctly in the ipna= t > state tables. >=20 > I've managed to convince myself that solving this is Really Really Hard > (TM). The irritating thing is that there's no theoretical reason why this > should be difficult...it all comes down to implementation details. >=20 >=20 > Is there any way at all, even with kludges, to get this to work? I'd be > extremely interested if there was any to accomplish this, as specified > above. I wrote this after I implemented m0n0wall's filtered bridging feature and had about a dozen people ask me this question, which is a reasonable question to ask, but tiring after you've heard it more than about five times. :-p My memory is a bit hazy but I think the problem was ipnat doesn't know that packets arriving on the unnumbered bridge interface need to have inbound NAT stuff done to them. It would need to know or figure out that the inbound interface was in a bridging group and that one of the other interfaces in the group was the interface being used for outbound NAT packets. I bet one could probably get this to work, if they were willing to hack up IPFilter and get it to understand the bridge(4) data structures. Bruce. --=-Bm+ktHMk0GQq+PpJM/UI Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBy0GF2MoxcVugUsMRAoJJAJ90yNpqTsjvgK65R+VO7SekOek2nACdHYz7 KtxV4XZY6MedNh1B6/TykKg= =4U+H -----END PGP SIGNATURE----- --=-Bm+ktHMk0GQq+PpJM/UI--