Date: Thu, 09 May 2002 12:31:07 -0500 From: Eric Anderson <anderson@centtech.com> To: Nielsen <nielsen@memberwebs.com> Cc: freebsd-security@freebsd.org Subject: Re: ipnat and bimapping Message-ID: <3CDAB25B.4B228C1B@centtech.com> References: <3CDA988D.34E2148C@centtech.com> <20020509170045.5584B37B414@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Ok, great (I love good software). So, my ipnat rules should look something like this: bimap sis0 10.10.20.2/32 -> 24.24.24.1/32 map sis0 10.10.10.0/24 -> 24.24.24.1/32 portmap tcp/udp 40000:65000 map sis0 10.10.10.0/24 -> 24.24.24.1/32 map sis0 10.10.20.0/24 -> 24.24.24.1/32 portmap tcp/udp 40000:65000 map sis0 10.10.20.0/24 -> 24.24.24.1/32 map sis0 0.0.0.0/32 -> 0.0.0.0/32 proxy port 21 ftp/tcp Does that look right? (assuming I want other hosts on the 10.10.20.0/24 net to be able to NAT through the gateway) Eric Nielsen wrote: > > Works for me. The two ranges also don't overlap. In my experience, however, > even if they do ipnat is smart enough to handle certain overlapping subnets > properly. I think last rule wins. > > ----- Original Message ----- > > Would bimap'ing the 24.24.24.1/32 address to 10.10.20.2/32 work? Or would > that > > screw up my nat'ing of the 10.10.10.0/24 net? I need all ports NOT nat'ed > to > > 10.10.10.0/24 to go to 10.10.20.2/32. Am I asking for trouble on the > protected > > net, or is this safe? Is bimap the right thing to use? > > > > How big is the gun that I am about to use to shoot myself in the foot? > > > > Eric > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology You have my continuous partial attention ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CDAB25B.4B228C1B>