From owner-freebsd-questions Mon May 20 20:03:27 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id UAA15158 for questions-outgoing; Mon, 20 May 1996 20:03:27 -0700 (PDT) Received: from mistery.mcafee.com (jimd@mistery.mcafee.com [192.187.128.69]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id UAA15153 for ; Mon, 20 May 1996 20:03:24 -0700 (PDT) Received: (from jimd@localhost) by mistery.mcafee.com (8.6.11/8.6.9) id UAA06708; Mon, 20 May 1996 20:13:54 -0700 From: Jim Dennis Message-Id: <199605210313.UAA06708@mistery.mcafee.com> Subject: Re: ip masquerading To: jimd@mistery.mcafee.com (Jim Dennis) Date: Mon, 20 May 1996 20:13:54 -0700 (PDT) Cc: root@bonsai.its.utas.edu.au, FreeBSD-Questions@freebsd.org In-Reply-To: <199605201948.MAA06002@mistery.mcafee.com> from "Jim Dennis" at May 20, 96 12:48:09 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > > > Hi, > > Sorry to stick an uneducated oar in the water but where does something > > like SLiRP fit in to all this? > I don't know where SLiRP fits into IP Masquerading. > > According to the documentation > > SLiRP allows you to connect a network of hosts to the internet without needing > > globablly unique numbers (ie you can use 10.0.2.xxx for your hosts). > That would suggest that SLiRP is acting as a network address translator > (NAT) or as a proxy (like SOCKS). > > Dose this contravene the rfcs? > > Andrew > 10.x.x.x and 192.168.x.x are listed in RFC1597 quoted below: > ---------------------------------------------------------------------- > 3. Private Address Space > The Internet Assigned Numbers Authority (IANA) has reserved the > following three blocks of the IP address space for private networks: > 10.0.0.0 - 10.255.255.255 > 172.16.0.0 - 172.31.255.255 > 192.168.0.0 - 192.168.255.255 > We will refer to the first block as "24-bit block", the second as > "20-bit block, and to the third as "16-bit" block. Note that the > first block is nothing but a single class A network number, while the > second block is a set of 16 contiguous class B network numbers, and > third block is a set of 255 contiguous class C network numbers. > ---------------------------------------------------------------------- > Note: you can't just use your FreeBSD box as a router > between your providers IP network (the number he gives your > PPP connection) and your internal network (the numbers you > pick from the above list). This is because your packets would > go out to the net with a source address in one of these reserved > ranges -- and all of the properly configured routers on the > net will reject them (since IANA has promised that no valid > internet host will ever have one of these addresses). > > With proxying or NAT your packets (from the private net hosts) > get to the gateway host -- the gateway host sends *it's own > packets out to the net* than it sorts out the packets it > recieves and sends the response back to the applications/hosts > that initiated the proxy'd session). (Thus the term "gateway" > -- which in OSI terminology means "works at the application layer" > vs. the term "router" - which refers to software (or firmware) > that operates at the transport layer (or thereabouts)). > > I'm sorry I didn't answer your questions about SLiRP and > IP Masquerading specifically. I don't know about those. > > Jim Dennis, > System Administrator, > McAfee Associates Just to follow up my own posting -- I forgot to mention that Darren Reed's IPFilter package claims to do NAT. It should compile under FreeBSD (I don't know for sure -- I haven't had a chance to get around to it. But that's what I've read). (Ironically I wanted to do the NAT and Proxying from a Linux box -- at least initially and for testing -- but it looks like I may have to convince my boss to let me stick *another* underloaded box on the net for a bit of experimenting since Darren hasn't done anything to add Linux support to IPFil -- well -- he put in one .h file but...) Can anyone on *this* list tell me if Linux new IP Masquerading obviates the need for this? Let me get a bit more basic and general Here's a list of terms that I hear bandied about and my approximations of what they mean: IP aliasing: binding multiple IP addresses to one interface Proxy ARP: allow a machine to route to a machine or group of machine without using a subnet? IP forwarding: allows a machine to act as a router -- move packets from one interface to another IP multicasting: allows participation in MBONE and used by some versions of gated? IP tunneling: (IP in IP) allows one to configure a machine such that it "appears" to be on a non-local network? used with encryption to create VPN's (virtual private networks)? SKIP: (secure keyed IP???) and encrypted IP ??? IP filtering: allows rule-based packet filtering -- some recent version maintain applications specific state information -- most don't. Proxying: Allows machines on a net to all use one machine to talk to any machines on the outside internet. Allows an organization to "hide" most of their machine behind a limited number of "bastions." Allows the org to have a very restrictive set of packet filters -- basically to allow IP traffic only to the bastions and the sacrificial/public servers/hosts. (There are two types of Proxying???: TIS FWTK (firewall toolkit) SOCKS (4 & 5)) packet filters: set of rules on a router that allow, reject, log, or deny packets based on source or destination addresses, ports or certain flags or options. These are implemented in the firmware of most routersf and they are implemented by kernel options in some versions of Unix (such as the IPFW code in FreeBSD and the IP firewall code in Linux). These can also be implemented in applications code ?? (such as Darren Reeed's IPFilter package)?? TIA: (The Internet Adapter): a Win/DOS user-level IP emulator SLiRP: (a Linux user/level IP emulator) SLIPNot: (a Windows GUI browser that uses shell commands and lynx -dump instead of IP as the transport) IP Masquerating: (kernel level NAT in Linux???) NAT: (Network address translation: method of translation "hidden" -- i.e. RFC1597 -- addresses into "official" (i.e. IANA issued/registered) addresses through a host. The host rewrites the packets as it "routes" them and maintains a dynamic table of which IP port is being used for each of the connections). This makes the translating host look like one very busy system (lots of IP ports in use -- lots of "connections"). The difference between NAT and Proxying is that Proxying requires the collusion of the applications (must use "socksified" clients). NAT and proxying can be used concurrently: proxying (for the applications that support it) is less "expensive" but NAT can fill in the gaps for those (few) applications with no proxy-enabled clients. bootp: protocol that allows machine to get their "boot parameters" from a host on the local net (via ARPs and ether broadcasts???) DHCP: more complex protocol for dynamic allocation of IP addresses and distribution of router, netmask, and other IP info??? (Dynamic Host Configuration Protocol).o bridging: like routing but at a lower level. Allows an ethernet network to be segmented (distributed across multiple wires) without introducing routers and additional subnets (and thus affecting all of the hosts on the local net). What did I miss? What did I get wrong? Jim Dennis, System Administrator, McAfee Associates