From owner-freebsd-questions@FreeBSD.ORG Thu Jul 29 15:42:35 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3CB7116A4CE for ; Thu, 29 Jul 2004 15:42:35 +0000 (GMT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C87943D53 for ; Thu, 29 Jul 2004 15:42:33 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) i6TFgAmw000998 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 29 Jul 2004 16:42:10 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id i6TFg9f8000993; Thu, 29 Jul 2004 16:42:09 +0100 (BST) (envelope-from matthew) Date: Thu, 29 Jul 2004 16:42:09 +0100 From: Matthew Seaman To: Hakim Singhji Message-ID: <20040729154209.GA80531@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Hakim Singhji , "Hakim Z. Singhji" , Bill Moran , freebsd-questions@freebsd.org References: <20040729T102705Z_C5AF00120003@nychhc.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="KsGdsel6WgEHnImy" Content-Disposition: inline In-Reply-To: <20040729T102705Z_C5AF00120003@nychhc.org> User-Agent: Mutt/1.5.6i X-Greylist: Message not sent from an IPv4 address, not delayed by milter-greylist-1.5.3 (smtp.infracaninophile.co.uk [0.0.0.0]); Thu, 29 Jul 2004 16:42:10 +0100 (BST) X-Virus-Scanned: clamd / ClamAV version devel-20040705, clamav-milter version 0.74a on smtp.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on happy-idiot-talk.infracaninophile.co.uk cc: "Hakim Z. Singhji" cc: Bill Moran cc: freebsd-questions@freebsd.org Subject: Re: HOWTO Ping LAN??? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jul 2004 15:42:35 -0000 --KsGdsel6WgEHnImy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 29, 2004 at 10:27:05AM -0400, Hakim Singhji wrote: > Hi Matt, >=20 > You say that the only way I will be able to connect to my network is by t= unneling. =20 > This is not what I want to do, I thought I may be able to SSH, Telnet, ww= w, etc.=20 > from the outside to my default gateway and have the gateway pass SSH, Tel= net,=20 > www., or any other request to the machine on the private network by inclu= ding the=20 > "localhost.defaultgateway.domain.org" or something to that affect. >=20 > Does NAT Overloading only go one way??? Essentially, yes. What you're after is called 'port forwarding' (which is actually a class of tunnelling methods). What you can't do in the sort of setup you describe is ssh(1) to the gateway machine and have it connect you to some arbitrary machine on your internal network. The outside world doesn't "know" anything about the arrangement of your private network: which machine should the gateway box forward the incoming connection to? All it sees is a TCP syn packet sent to port 22 on its internet interface. Going the other way round -- where the internal machine initiates the connection -- works because you can match up the response 'ACK' packet to the outgoing 'SYN' packet In order to allow remote access to your private machines you've somehow got to introduce a mechanism to permit the gateway machine to know which of the internal machines you want to connect to. You can set up non-standard ports on the NAT gateway to forward connections to internal machines: eg. Port: Destination: ---------------------- 2201 192.168.0.1:22 2202 192.168.0.2:22 2203 192.168.0.3:22 (see natd(8)=20 but a) you'ld have to do that for each service on each machine you want connectivity to, and b) it's not going to work in the specific case of ssh(1) specifically, because ssh(1) attempts to verify the identity of the host it connects to against the host keys presented to it during the SSH connection.=20 Probably the easiest thing to do is log into your gateway machine via ssh(1) and then take a second hop from there to your internal machines. telnet(1) is generally a bad idea for security reasons. ping(8) which operates via ICMP echo request is completely out: ICMP doesn't have the concept of port numbers at all, so there's no way to clue the NAT gateway into which machine you want to communicate with. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --KsGdsel6WgEHnImy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBCRrQiD657aJF7eIRAsRsAKCZsPb5jer2+q0WNLZtknsQzWMG3wCggqW/ 6+VCz4KENhmcejDU7gXrSRU= =r7GL -----END PGP SIGNATURE----- --KsGdsel6WgEHnImy--