Date: Mon, 25 Oct 1999 21:19:57 -0700 (PDT) From: "Dan Seafeldt, AZ.COM System Administrator" <yankee@az.com> To: freebsd-security@FreeBSD.ORG Subject: IPDIVERT / natd Message-ID: <Pine.BSF.3.91.991025201737.15720H-100000@gate.az.com> In-Reply-To: <001e01bf1f4a$bd633660$c802a8c0@columbia.mentis.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Clarification I suppose is needed ... Take the case of HOST running natd/IPDIVERT/IPFIREWALL "open" on ethernet lan A which it shares with at least 2 other host/gateways: GATEWAY X and GATEWAY Y. Both GATEWAY's can be used to reach DESTINATION a.b.c.d. HOST receives a telnet packet from CLIENT on its incoming lan B interface bound for DESTINATION: it chooses to forward that packet out LAN A interface to GATEWAY X because GATEWAY X was defined as the default route, no other qualified route exists for DESTINATION, and DESTINATION is not available via a directly attached interface. It works, natd works, just great. However, let's add a new twist: what if the system admin chooses to send outbound telnet's originating from the private subnet through sniffing GATEWAY Y using natd proxy_rule? Can this be done? Or is this beyond natd's current scope? HOST lan B: 192.168.1.1 CLIENT (origin of telnet connection): 192.168.1.x HOST lan A: x.x.x.50, default route is set to: x.x.x.100 GATEWAY X: x.x.x.100 GATEWAY Y: x.x.x.200 "the other gateway" DESTINATION: a.b.c.d syntax: (I tried this) natd -a x.x.x.50 -proxy_rule type encode_ip_hdr port 23 server x.x.x.200:23 and this: natd -a x.x.x.50 -proxy_rule type encode_tcp_stream port 23 server x.x.x.200:23 I wanted the packet forwarded to the other gateway address marked properly? as a forwardable packet with the target address intact. But both ways tanked. I'm not clear on the two options anyway. But trace looks like it might work. If I remember correctly, a gateway bound packet has a special bit set in the IP header. Is that the missing ingredient and if so could it be added to the proxy_rule without conflict? By the way, I found that: /sbin/natd -a x.x.x.50 -proxy_rule port 23 server x.x.x.200 Does do something: it brings up 200's welcome no matter where you go, obviously by intended design and a nifty trick, but not quite what we're after here, although I'm sure I'll use that one elsewhere later on... So if you have something before I go walking through the rfc's and natd source code, much appreciated. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.991025201737.15720H-100000>