Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 28 May 1999 10:43:42 +0200 (MET DST)
From:      Luigi Rizzo <luigi@labinfo.iet.unipi.it>
To:        Konstantinos.DRYLLERAKIS@DG21.cec.be
Cc:        freebsd-hackers@FreeBSD.ORG, freebsd-question@FreeBSD.ORG
Subject:   Re: ipfw/natd limitation: controlling access of an unregistered net to
Message-ID:  <199905280843.KAA12992@labinfo.iet.unipi.it>
In-Reply-To: <WIN944-990528091513-3DA7*/G=KONSTANTINOS/S=DRYLLERAKIS/O=DG21/PRMD=CEC/ADMD=RTT/C=BE/@MHS> from "Konstantinos.DRYLLERAKIS@DG21.cec.be" at May 28, 99 11:14:27 am
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi,

configuring nat is a bit tricky, even more so if your machine is
configured to do routing, but it is doable.

In particular, you surely can filter packets before natd'ing them,
using sequences like

	deny ip from unprivileged_ip to outside_ip
	deny tcp from privileged_ip to outside_ip unauthorized_service
	divert natd ip from prileged_ip to any

(this is for the way out; i'll let you figure out what to use for
pkts coming from the outside, plus additional 'recv in ifXX' etc.
specifiers to put...)

I think using the "via" specifier is not making the task very easy.

> It is clear that only "deny" rules can be added before the "divert"
> rule to control the outgoing packets of internal machines and this
> can prove very tricky and tedious ].

actually you can use "skipto" rules as well if you need more complex
tests.

	cheers
	luigi

-----------------------------------+-------------------------------------
  Luigi RIZZO, luigi@iet.unipi.it  . Dip. di Ing. dell'Informazione
  http://www.iet.unipi.it/~luigi/  . Universita` di Pisa
  TEL/FAX: +39-050-568.533/522     . via Diotisalvi 2, 56126 PISA (Italy)

		  http://www.iet.unipi.it/~luigi/ngc99/
====  First International Workshop on Networked Group Communication  ====
-----------------------------------+-------------------------------------


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905280843.KAA12992>