From owner-freebsd-hackers Tue Mar 9 14:41: 4 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from lily.ezo.net (lily.ezo.net [206.102.130.13]) by hub.freebsd.org (Postfix) with ESMTP id 6AE5214F39 for ; Tue, 9 Mar 1999 14:40:59 -0800 (PST) (envelope-from jflowers@ezo.net) Received: from ivy.ezo.net (ivy.ezo.net [206.150.211.171]) by lily.ezo.net (8.8.7/8.8.7) with SMTP id RAA03003; Tue, 9 Mar 1999 17:40:20 -0500 (EST) Message-ID: <000d01be6a7e$39343960$abd396ce@ivy.ezo.net> From: "Jim Flowers" To: "Terry Glanfield" , Subject: Re: Tunnel loopback Date: Tue, 9 Mar 1999 17:43:16 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG There is a basic problem with your strategy. SKIP is unidirectional and the inbound packets will have to be received on the configured interface to be authenticated. There are other problems, as well. When you hide SKIP behind NAT the outside skiphost can't communicate with the inside skiphost as its address is unknown. Each direction is independent of the other, so even if the inside skiphost starts the communication the return from the outside skiphost is blocked by NAT. The good news is that you can mix SKIP and NAT on the same box as designed. Just remember that SKIP gets the last shot (outbound, really the first shot - inbound) as it is shimmed in just before the ethernet interface that you are controlling. I think I posted a how-to on freebsd-security a couple of months back. You can put ipfw rules in before the divert to accept and therefore bypass NAT for the skip and cdp protocols. Also control when a host on the local network uses SKIP or NAT by setting its default route for the SKIP/NAT box and then including a rule prior to the divert to accept it if you want SKIP instead of NAT. The only thing I was not able to work out was putting the default route in a tunnel to the Internet. That worked OK for the hosts that were SKIPping but also ate the routes for the hosts that were still trying to use NAT. Tunnels are OK but only for named networks; not so great for the Internet at large. Were you able to get the FreeBSD Skip-1.0 port to compile on 3.1? Good Luck. -----Original Message----- From: Terry Glanfield To: freebsd-hackers@FreeBSD.ORG Date: Tuesday, March 09, 1999 11:53 AM Subject: Tunnel loopback > >Hi, > >I've been trying to use a FreeBSD (3.0-RELEASE and 3.1-RELEASE) tunnel > >[1] The idea is to mix NAT and SKIP on the same box by doing the SKIP >encryption on a different interface before it hits NAT. > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-hackers" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message