From owner-freebsd-security  Tue Jan 25 13:18:38 2000
Delivered-To: freebsd-security@freebsd.org
Received: from lily.ezo.net (lily.ezo.net [206.102.130.13])
	by hub.freebsd.org (Postfix) with ESMTP id A29CB1537A
	for <freebsd-security@FreeBSD.ORG>; Tue, 25 Jan 2000 13:18:20 -0800 (PST)
	(envelope-from jflowers@ezo.net)
Received: from lily.ezo.net (jflowers@localhost.ezo.net [127.0.0.1])
	by lily.ezo.net (8.8.7/8.8.7) with SMTP id QAA04148;
	Tue, 25 Jan 2000 16:17:49 -0500 (EST)
Date: Tue, 25 Jan 2000 16:17:49 -0500 (EST)
From: Jim Flowers <jflowers@ezo.net>
To: Brad Guillory <round@baileylink.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Skip, Natd, Ipfw, and VPN Nomads (long)
In-Reply-To: <20000125113623.A85740@baileylink.net>
Message-ID: <Pine.BSI.3.91.1000125161007.3807A-100000@lily.ezo.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

If you aren't interested in nomads logging on to an NT network or using 
network neighborhood (you can still map drives) then you are OK.  You are
also OK if you don't need to use natd for Internet browsing with internal 
hosts but then why have natd at all.

Otherwise, unless you can figure out a way to tell outbound client 
browsing packets to use natd and to tell logon server SMB messages to 
bypass natd on their way back to the nomad, you are sol.  Unfortunately, 
they both belong to the class of destination address = any.

You could use the source address of the logon server to bypass natd but 
now you can't also have -redirect_port capabilities.

Jim Flowers <jflowers@ezo.net>
#4 ISP on C|NET, #1 in Ohio

On Tue, 25 Jan 2000, Brad Guillory wrote:

> Jim,
> 
>   Don't you think that using an extra interface is favorable to using
> two FreeBSD boxes.  I imaging that you would not even have to use
> a real second interface.  This is a very detailed implementation,
> and I appreciate it much because I am about to have to configure
> a skip vpn with nomad (DHCP ADSL users).  I have only allocated one
> at the POP to accomplish this so I am hoping that I am not wrong.
> 
> BMG
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message