From owner-freebsd-ipfw Tue Jan 22 9:26:35 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id 8E2AD37B400 for ; Tue, 22 Jan 2002 09:26:18 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id g0MHQ3R60458; Tue, 22 Jan 2002 19:26:03 +0200 (EET) (envelope-from ru) Date: Tue, 22 Jan 2002 19:26:03 +0200 From: Ruslan Ermilov To: Ramiro V?zquez Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Using ipfw to make a "Dynamic NAT depending of protocol L7" Message-ID: <20020122192603.C58453@sunbay.com> References: <008101c1a368$f23b1890$1500a8c0@corp.megared.net.mx> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <008101c1a368$f23b1890$1500a8c0@corp.megared.net.mx> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jan 22, 2002 at 11:19:27AM -0600, Ramiro V?zquez wrote: > Hi, > > We work at a cable-ISP and we are using NAT & PAT to provide enough IP > Addresses to our customers. > > We have experienced problems with certains applications, mostly with > peer to peer applications like MSN Messenger. > Some features like send files function don't work. > We put a sniffer and discover that when one of our customer try to send > a file to someone out of our net does this: > 1.- The application opens a port ( 6891-6899 ). > 2.- Sends the IP of the machine ( the private IP ) and the port that is > listening. > 3.- The another peer try to connect to the private IP and the port that > it had received. > 4.- The connection fails. > > We modify a proxy to change the packet that the application sends with > the private IP and the local port to replace them for a public IP and > another port, then the proxy sends this changes to an application that just > maps or forwards the port that we sent to the peer outside to the real IP > and port of our costumer. > > This solution works and we going to begin with the test with more > connections, but maybe is not the best solution, one disadvantage is that > the costumer must to specify a proxy and it's a hard work. > > We think that if we could make this changes with ipfw or ip-filters and > then add a rule to natd or ip-nat to forward the port, it would be more > efficient. > > Then we can redirect the traffic of MSN to ipfw or ip-filters and make > all transparent to our costumers. > > We think that we can do this for the most important applications to > solve this problem, and its very important because we use a lot of PAT and > many applications can't work with the complete features. > > Is it possible make this with ipfw ?? Is anybody working arround this > ?? > > Any idea or comment would be helpful !! > If you know MSN protocol, it should be pretty easy to add the required glue to libalias(3) to do the necessary payload stubs, etc., so that this works transparently through a natd(8) and/or ppp(8). Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message