Date: Sat, 20 Apr 2002 19:17:10 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Brett Glass <brett@lariat.org> Cc: "Matthew D. Fuller" <fullermd@over-yonder.net>, chat@FreeBSD.ORG Subject: Re: How to control address used by INADDR_ANY? Message-ID: <3CC22126.9F28CE8A@mindspring.com> References: <4.3.2.7.2.20020420111258.021d7270@nospam.lariat.org> <4.3.2.7.2.20020419144005.0358c610@nospam.lariat.org> <4.3.2.7.2.20020419144005.0358c610@nospam.lariat.org> <4.3.2.7.2.20020420004621.02379880@nospam.lariat.org> <3CC1245C.EEE4ADE@mindspring.com> <4.3.2.7.2.20020420111258.021d7270@nospam.lariat.org> <4.3.2.7.2.20020420113621.021dfd00@nospam.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Brett Glass wrote: > At 11:22 AM 4/20/2002, Matthew D. Fuller wrote: > >The same routable address you have on its internal interface, with a /32 > >netmask, and then the default route pointed out the interface. > > I'd considered this, but wasn't sure about the effects of having > an address assigned to two interfaces simultaneously. How would > this affect responses to ARP queries? The answer to this is "who cares, all you really care about is that the packet source address is a routable address, so the packet makes it through the ISP". We are talking about packets sent out sockets bound to an interface at accept time... outbound connections only. For the ARP stuff: the answer to the "who has" will be the machine where the IP is configured, out the interfaces on the machine where the request was received. You need to "man arp", and pay specific attention to the "pub" argument to the "-s" option. FreeBSD is already broken here somewhat, in that it will respond to ARP requests for IP addresses configured on the loopback interface. This means that you can't use FreeBSD HTTP servers with Arrowpoint, Lucent, etc. load balancers that have been configured to use DSR (see Appendix B of the O'Reilly "Server Load Balamcing" book). So in the worst case, you aren't going to break anything that isn't already broken. > Other options I've considered are: > > 1) Using natd to change the souce addresses on outgoing packets > with a source addresses in 10.x to something routable (that is, > having the machine do NAT for its own internal processes). Would > this work? The NAT can't do block address translation, it can only do 1:N translation (not N:N translation). This is the main reason that the NAT-based VPN code is only suitable for clients coming into a corporate network, and why people keep talking about using a point-to-point IPSEC connection to tunnel VLAN trunking over. > 2) Running local processes in a "jail" (assuming that this would > force their IP source addresses to the address assigned to the > "jail...." Would it? I'd need to figure out how to configure this, > because the natd documentation doesn't really explain how it works). No, it would not force the source address. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CC22126.9F28CE8A>