From owner-freebsd-hackers Mon Mar 22 17:45:22 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id 15DDA15314 for ; Mon, 22 Mar 1999 17:45:13 -0800 (PST) (envelope-from jflowers@ezo.net) Received: from crocus (c3-1d196.neo.rr.com [24.93.233.196]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id UAA04236; Mon, 22 Mar 1999 20:44:18 -0500 (EST) Message-ID: <001301be74ce$d63efdd0$23b197ce@ezo.net> From: "Jim Flowers" To: "Matthew Reimer" , "Charles Henrich" , References: <36F6D023.1925D6D5@vpop.net> Subject: Re: NAT/SKIP/MTU Date: Mon, 22 Mar 1999 20:45:30 -0500 Organization: EZNets, Inc. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2014.211 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2014.211 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Depending on what is wanted, SKIP and NAT will cooperate nicely on the same interface. SKIP can be used for tunneled traffic over a VPN while NAT is used for non-SKIP traffic. I have posted some how-tos on freebsd-security recently but the general idea is to include appropriate matching rules in ipfw to accept the SKIP related traffic prior to being diverted by the NAT rule. This can also be used to switch individual network hosts from SKIP to NAT and back by manipulating network host rules. ----- Original Message ----- From: Matthew Reimer To: Charles Henrich ; Sent: Monday, March 22, 1999 6:20 PM Subject: Re: NAT/SKIP/MTU > Are you using the latest SKIP port? There was a bug a while back in > which SKIP used the M_EOR bit in an mbuf to mark whether or not packets > had been decrypted, and this was causing problems with large packets. > > But at this point NAT and SKIP won't cooperate on the same interface, > because NAT (since it runs in userland) doesn't have access to mbufs > (where SKIP keeps track of which packets have been encrypted). The best > fix seems to be to convert SKIP to a userland program using DIVERT > sockets. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message