From owner-freebsd-chat  Sat Apr 20 19:54:46 2002
Delivered-To: freebsd-chat@freebsd.org
Received: from lariat.org (lariat.org [12.23.109.2])
	by hub.freebsd.org (Postfix) with ESMTP id 796F437B417
	for <chat@FreeBSD.ORG>; Sat, 20 Apr 2002 19:54:37 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id UAA25046;
	Sat, 20 Apr 2002 20:54:25 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20020420204617.021f4470@nospam.lariat.org>
X-Sender: brett@nospam.lariat.org
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Sat, 20 Apr 2002 20:54:21 -0600
To: Terry Lambert <tlambert2@mindspring.com>
From: Brett Glass <brett@lariat.org>
Subject: Re: How to control address used by INADDR_ANY?
Cc: "Matthew D. Fuller" <fullermd@over-yonder.net>, chat@FreeBSD.ORG
In-Reply-To: <3CC22126.9F28CE8A@mindspring.com>
References: <4.3.2.7.2.20020420111258.021d7270@nospam.lariat.org>
 <4.3.2.7.2.20020419144005.0358c610@nospam.lariat.org>
 <4.3.2.7.2.20020419144005.0358c610@nospam.lariat.org>
 <4.3.2.7.2.20020420004621.02379880@nospam.lariat.org>
 <3CC1245C.EEE4ADE@mindspring.com>
 <4.3.2.7.2.20020420111258.021d7270@nospam.lariat.org>
 <4.3.2.7.2.20020420113621.021dfd00@nospam.lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-chat@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-chat.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-chat>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-chat>
X-Loop: FreeBSD.org

At 08:17 PM 4/20/2002, Terry Lambert wrote:

>> Other options I've considered are:
>> 
>> 1) Using natd to change the souce addresses on outgoing packets
>> with a source addresses in 10.x to something routable (that is,
>> having the machine do NAT for its own internal processes). Would
>> this work?
>
>The NAT can't do block address translation, it can only do 1:N
>translation (not N:N translation).

Ah, but we only NEED to do 1:N translation. We need to translate
the source address of 10.X.Y.Z to A.B.C.1 when going outbound
on the upstream interface. I believe that ipnat is capable of
doing this with a "map" rule, because it sits outside the
kernel. But I don't know if natd (which is what I'd prefer to
use because it's able to do port-specific NAT ore gracefully)
can do this.

>> 2) Running local processes in a "jail" (assuming that this would
>> force their IP source addresses to the address assigned to the
>> "jail...." Would it? 
>
>No, it would not force the source address.

Are you sure? I haven't played much with jails, but I do note the
following on the jail(8) man page:

>     jail.socket_unixiproute_only
>          The jail functionality binds an IPv4 address to each jail, and lim-
>          its access to other network addresses in the IPv4 space that may be
>          available in the host environment.

I had always interpreted this to mean that the apps operating in
the jail were limited -- both when they listened and when they
opened outbound sockets -- to using the jail's IPv4 address. 

--Brett Glass


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message