From owner-freebsd-net@FreeBSD.ORG Thu Nov 1 15:06:20 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 707B516A419; Thu, 1 Nov 2007 15:06:20 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (cl-162.ewr-01.us.sixxs.net [IPv6:2001:4830:1200:a1::2]) by mx1.freebsd.org (Postfix) with ESMTP id D583513C4B2; Thu, 1 Nov 2007 15:06:19 +0000 (UTC) (envelope-from brooks@lor.one-eyed-alien.net) Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.14.1/8.13.8) with ESMTP id lA1F6Fgm025330; Thu, 1 Nov 2007 10:06:15 -0500 (CDT) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.14.1/8.13.8/Submit) id lA1F6D5S025327; Thu, 1 Nov 2007 10:06:13 -0500 (CDT) (envelope-from brooks) Date: Thu, 1 Nov 2007 10:06:13 -0500 From: Brooks Davis To: Julian Elischer Message-ID: <20071101150613.GA24803@lor.one-eyed-alien.net> References: <20070909201837.GA18107@inf.ethz.ch> <20071026154057.GG1049@styx.ethz.ch> <4722AEB3.1010208@FreeBSD.org> <20071029150424.GA68594@lor.one-eyed-alien.net> <4726395B.8080905@FreeBSD.org> <20071031144915.GE1165@styx.ethz.ch> <4728B324.2000406@elischer.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PNTmBPCT7hxwcZjr" Content-Disposition: inline In-Reply-To: <4728B324.2000406@elischer.org> User-Agent: Mutt/1.5.16 (2007-06-09) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (lor.one-eyed-alien.net [127.0.0.1]); Thu, 01 Nov 2007 10:06:15 -0500 (CDT) Cc: freebsd-net@freebsd.org, Brooks Davis , "Bruce M. Simpson" , Matus Harvan , Max Laier Subject: Re: UDP catchall X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Nov 2007 15:06:20 -0000 --PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Oct 31, 2007 at 09:53:56AM -0700, Julian Elischer wrote: > It's possible using ipfw to mostly implement this, and with an upcoming= =20 > change, possible to completely implement this. >=20 > the "uid" function of ipfw can act as a "does there exist a socket to whi= ch=20 > this packet would go?" test. > and a variant of it called "for_me" that I am adding (we use it at work)= =20 > does this even better. >=20 > so, basically, >=20 > yyy: skipto xxx ip from any to-me > yyy+1: fwd 127.0.0.1,1234 > xxx: One problem with this kind of implementation is that it's impossible to make it plug and play. You have to have a firewall configured and you have to tell mtund where I can stick it's rules so it doesn't screw up your fireall config and it gets the packets it needs. One major goal of mtund is that it require as little configuraiton as possible. Ideally, you could be able to get a connection if it's possible with nothing but the IP address(es) of the friendly server and the IPoDNS zone. Also, while it's less useful in the UDP case, the TCP case could be extremely useful for setting up a poorman's mtund server where you run ssh or an HTTP service of some sort on every port. -- Brooks --PNTmBPCT7hxwcZjr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (FreeBSD) iD8DBQFHKetlXY6L6fI4GtQRAoLWAKCdLXwJXpMtKehfvtldBYOi0KYvSACgjaI1 KFUuaoL7xTz5L8PcSgMRtGo= =VG0z -----END PGP SIGNATURE----- --PNTmBPCT7hxwcZjr--