Date: Fri, 28 May 1999 11:14:46 +0200 From: Konstantinos.DRYLLERAKIS@DG21.cec.be To: <freebsd-hackers@freebsd.org>, <freebsd-question@freebsd.org> Subject: ipfw/natd limitation: controlling access of an unregistered net to the internet Message-ID: <WIN944-990528091513-3DA7*/G=KONSTANTINOS/S=DRYLLERAKIS/O=DG21/PRMD=CEC/ADMD=RTT/C=BE/@MHS>
next in thread | raw e-mail | index | archive | help
Dear all, I believe the problem that I am facing is common enough, but I have failed to find any extra information except some old postings describing possible changes to natd/ipfw behaviour in the future which do not seem to have taken place. The problem is that of connecting _and_ controlling a company net with unregistered IP address to the Internet via a multi-homed FreeBSD box using ipfw/natd. According to my understanding, all packets going through the outer interface of the mutli-homed machine should be diverted to natd as soon as possible. The problem appears to be that outgoing packets (through the firewall) are first translated to the firewall's IP address and _then_ further constrained by the firewall rules. This gives ALL internal machines the same "access privileges" to the internet as the firewall machine. For incoming packets this is simpler since they are first translated back to the real target and then passed through the firewall so you can control them by target IP address. It seems to me that outgoing packets through the outer interface should first be run (somehow) through the firewall and if succesfull pass through natd (without a further re-injection to the firewall ruleset) whereas incoming packets should pass first from natd and then pass through the firewall rules (the existing operation). [ It is clear that only "deny" rules can be added before the "divert" rule to control the outgoing packets of internal machines and this can prove very tricky and tedious ]. I have not been able to think of a solution to this problem especially if you are assigned a _single_ real IP address by your ISP. If you are assigned a certain number of IP address by your ISP you might concider translating addresses of groups of internal machines to some specific, registered IP (lets call this a virtual portal host). Each group of machines (represented by the portal IP) will be controlled differently by the firewall. But this is getting particularly problematic as control for outgoing traffic from a group of internal hosts has to be specified with the portal IP address whereas incoming traffic towards the group individually with each actual IP address. Any help or thoughts on this matter will be greatly appreciated. If an answer is found, I volunteer to write an FAQ explaining the solution in detail. If possible please CC answers to Konstantinos.Dryllerakis@dg21.cec.be. Dr. K J Dryllerakis To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?WIN944-990528091513-3DA7*/G=KONSTANTINOS/S=DRYLLERAKIS/O=DG21/PRMD=CEC/ADMD=RTT/C=BE/>