From owner-freebsd-hackers  Fri May 28  4:10:43 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from labinfo.iet.unipi.it (labinfo.iet.unipi.it [131.114.9.5])
	by hub.freebsd.org (Postfix) with SMTP
	id 9A00015A12; Fri, 28 May 1999 04:10:34 -0700 (PDT)
	(envelope-from luigi@labinfo.iet.unipi.it)
Received: from localhost (luigi@localhost) by labinfo.iet.unipi.it (8.6.5/8.6.5) id KAA12992; Fri, 28 May 1999 10:43:42 +0200
From: Luigi Rizzo <luigi@labinfo.iet.unipi.it>
Message-Id: <199905280843.KAA12992@labinfo.iet.unipi.it>
Subject: Re: ipfw/natd limitation: controlling access of an unregistered net to
To: Konstantinos.DRYLLERAKIS@DG21.cec.be
Date: Fri, 28 May 1999 10:43:42 +0200 (MET DST)
Cc: freebsd-hackers@FreeBSD.ORG, freebsd-question@FreeBSD.ORG
In-Reply-To: <WIN944-990528091513-3DA7*/G=KONSTANTINOS/S=DRYLLERAKIS/O=DG21/PRMD=CEC/ADMD=RTT/C=BE/@MHS> from "Konstantinos.DRYLLERAKIS@DG21.cec.be" at May 28, 99 11:14:27 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Content-Length: 1313      
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hi,

configuring nat is a bit tricky, even more so if your machine is
configured to do routing, but it is doable.

In particular, you surely can filter packets before natd'ing them,
using sequences like

	deny ip from unprivileged_ip to outside_ip
	deny tcp from privileged_ip to outside_ip unauthorized_service
	divert natd ip from prileged_ip to any

(this is for the way out; i'll let you figure out what to use for
pkts coming from the outside, plus additional 'recv in ifXX' etc.
specifiers to put...)

I think using the "via" specifier is not making the task very easy.

> It is clear that only "deny" rules can be added before the "divert"
> rule to control the outgoing packets of internal machines and this
> can prove very tricky and tedious ].

actually you can use "skipto" rules as well if you need more complex
tests.

	cheers
	luigi

-----------------------------------+-------------------------------------
  Luigi RIZZO, luigi@iet.unipi.it  . Dip. di Ing. dell'Informazione
  http://www.iet.unipi.it/~luigi/  . Universita` di Pisa
  TEL/FAX: +39-050-568.533/522     . via Diotisalvi 2, 56126 PISA (Italy)

		  http://www.iet.unipi.it/~luigi/ngc99/
====  First International Workshop on Networked Group Communication  ====
-----------------------------------+-------------------------------------


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message