From owner-freebsd-security Thu May 9 16:51: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id D905737B40A for ; Thu, 9 May 2002 16:50:50 -0700 (PDT) Received: from pen.centtech.com (pen.centtech.com [10.177.178.33]) by prox.centtech.com (8.11.6/8.11.6) with ESMTP id g49HV8716626; Thu, 9 May 2002 12:31:08 -0500 (CDT) Received: from centtech.com (proton.centtech.com [10.177.173.77]) by pen.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id g49HV7P01909; Thu, 9 May 2002 12:31:07 -0500 (CDT) Message-ID: <3CDAB25B.4B228C1B@centtech.com> Date: Thu, 09 May 2002 12:31:07 -0500 From: Eric Anderson Reply-To: anderson@centtech.com X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: Nielsen Cc: freebsd-security@freebsd.org Subject: Re: ipnat and bimapping References: <3CDA988D.34E2148C@centtech.com> <20020509170045.5584B37B414@hub.freebsd.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ok, great (I love good software). So, my ipnat rules should look something like this: bimap sis0 10.10.20.2/32 -> 24.24.24.1/32 map sis0 10.10.10.0/24 -> 24.24.24.1/32 portmap tcp/udp 40000:65000 map sis0 10.10.10.0/24 -> 24.24.24.1/32 map sis0 10.10.20.0/24 -> 24.24.24.1/32 portmap tcp/udp 40000:65000 map sis0 10.10.20.0/24 -> 24.24.24.1/32 map sis0 0.0.0.0/32 -> 0.0.0.0/32 proxy port 21 ftp/tcp Does that look right? (assuming I want other hosts on the 10.10.20.0/24 net to be able to NAT through the gateway) Eric Nielsen wrote: > > Works for me. The two ranges also don't overlap. In my experience, however, > even if they do ipnat is smart enough to handle certain overlapping subnets > properly. I think last rule wins. > > ----- Original Message ----- > > Would bimap'ing the 24.24.24.1/32 address to 10.10.20.2/32 work? Or would > that > > screw up my nat'ing of the 10.10.10.0/24 net? I need all ports NOT nat'ed > to > > 10.10.10.0/24 to go to 10.10.20.2/32. Am I asking for trouble on the > protected > > net, or is this safe? Is bimap the right thing to use? > > > > How big is the gun that I am about to use to shoot myself in the foot? > > > > Eric > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology You have my continuous partial attention ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message