Date: Fri, 1 Mar 1996 23:37:02 +1100 (EDT) From: Darren Reed <avalon@coombs.anu.edu.au> To: phk@critter.tfs.com (Poul-Henning Kamp) Cc: archie@tribe.com, security@freebsd.org Subject: Re: IP filtering strawman, comments please. Message-ID: <199603011238.EAA09162@freefall.freebsd.org> In-Reply-To: <2183.825675018@critter.tfs.com> from "Poul-Henning Kamp" at Mar 1, 96 11:10:18 am
next in thread | previous in thread | raw e-mail | index | archive | help
In some mail from Poul-Henning Kamp, sie said: > > > > And finally, what should be done when the rule matches: > > > > > Howabout: > > > > "remap X" Change the (source/dest) network number to X from whatever > > it was. This would provide very easy network address translation > > in the case that the two netmask widths are identical. This could > > be a big feature if people have to start renumbering their > > networks but aren't ready yet... cf. rfc1900. > > > > The more general case (such as remapping an entire network > > into a single IP address) is slightly harder, since you have > > to remember what UDP/TCP ports you have mapped to as well, > > time them out, sniff FTP packets, etc... but it can and has > > been done... > I would rather leave this to a user-land process by using the divert > trick. I'm trying to get maximum mileage from the minimum kernel-code. [...] > > "divert" would be great for security auditing purposes. > and other things too. remember that packet can be reinjected after > being chewed on. "remap" and "divert" are two sides of the same coin. Doing things in userland is nice/safe, BUT (big BUT), there is a significant performance hit. darren
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199603011238.EAA09162>