Date: Thu, 14 Jul 2005 09:51:48 -0300 From: "Giovanni P. Tirloni" <gpt@tirloni.org> To: Alex Povolotsky <tarkhil@webmail.sub.ru> Cc: freebsd-net@freebsd.org Subject: Re: GRE and PF problem Message-ID: <42D65FE4.2030801@tirloni.org> In-Reply-To: <42D60832.9090206@webmail.sub.ru> References: <42D536EC.5030500@webmail.sub.ru> <9f9a8c4005071322311907b4b@mail.gmail.com> <42D60832.9090206@webmail.sub.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Alex Povolotsky wrote: > compunction wrote: > >> GRE needs to pass bidirectional. You will need a binat to make it >> work. I have not found a firewall that will allow GRE to work with a >> many to one nat. >> >> > > The most painful thing is that pf's nat works for GRE - SOMETIMES :-( > > The only thing firewall needs to implement for natting GRE is creation > of two rules (forward and back) for GRE packet, just like it does for ICMP. > > I'm not a firewall writer, but as far as I understand general procedural > programming, it cannot be THAT complicated. When a packet comes from 1.2.3.4 to your external interface you can't determine if it's destined to 192.168.0.1 or 192.168.0.2 if both initiated a GRE tunnel to 1.2.3.4. That's because GRE doesn't have ports like UDP or TCP to make (de)multiplexing possible, AFAIK. http://www.networksorcery.com/enp/protocol/gre.htm -- Giovanni P. Tirloni / gpt@tirloni.org / PGP: 0xD0315C26
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42D65FE4.2030801>