From owner-freebsd-security Mon Oct 25 21:20:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from gate.az.com (ip-216.145.8.235.az.com [216.145.8.235]) by hub.freebsd.org (Postfix) with ESMTP id 7CE7E1531D for ; Mon, 25 Oct 1999 21:19:56 -0700 (PDT) (envelope-from yankee@gate.az.com) Received: (from yankee@localhost) by gate.az.com (8.8.5/8.8.5) id VAA06612; Mon, 25 Oct 1999 21:19:57 -0700 (PDT) Date: Mon, 25 Oct 1999 21:19:57 -0700 (PDT) From: "Dan Seafeldt, AZ.COM System Administrator" To: freebsd-security@FreeBSD.ORG Subject: IPDIVERT / natd In-Reply-To: <001e01bf1f4a$bd633660$c802a8c0@columbia.mentis.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Clarification I suppose is needed ... Take the case of HOST running natd/IPDIVERT/IPFIREWALL "open" on ethernet lan A which it shares with at least 2 other host/gateways: GATEWAY X and GATEWAY Y. Both GATEWAY's can be used to reach DESTINATION a.b.c.d. HOST receives a telnet packet from CLIENT on its incoming lan B interface bound for DESTINATION: it chooses to forward that packet out LAN A interface to GATEWAY X because GATEWAY X was defined as the default route, no other qualified route exists for DESTINATION, and DESTINATION is not available via a directly attached interface. It works, natd works, just great. However, let's add a new twist: what if the system admin chooses to send outbound telnet's originating from the private subnet through sniffing GATEWAY Y using natd proxy_rule? Can this be done? Or is this beyond natd's current scope? HOST lan B: 192.168.1.1 CLIENT (origin of telnet connection): 192.168.1.x HOST lan A: x.x.x.50, default route is set to: x.x.x.100 GATEWAY X: x.x.x.100 GATEWAY Y: x.x.x.200 "the other gateway" DESTINATION: a.b.c.d syntax: (I tried this) natd -a x.x.x.50 -proxy_rule type encode_ip_hdr port 23 server x.x.x.200:23 and this: natd -a x.x.x.50 -proxy_rule type encode_tcp_stream port 23 server x.x.x.200:23 I wanted the packet forwarded to the other gateway address marked properly? as a forwardable packet with the target address intact. But both ways tanked. I'm not clear on the two options anyway. But trace looks like it might work. If I remember correctly, a gateway bound packet has a special bit set in the IP header. Is that the missing ingredient and if so could it be added to the proxy_rule without conflict? By the way, I found that: /sbin/natd -a x.x.x.50 -proxy_rule port 23 server x.x.x.200 Does do something: it brings up 200's welcome no matter where you go, obviously by intended design and a nifty trick, but not quite what we're after here, although I'm sure I'll use that one elsewhere later on... So if you have something before I go walking through the rfc's and natd source code, much appreciated. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message