Date: Tue, 22 Jan 2002 11:19:27 -0600 From: =?iso-8859-1?Q?Ramiro_V=E1zquez?= <lrvazquez@megared.net.mx> To: <freebsd-ipfw@FreeBSD.ORG> Subject: Using ipfw to make a "Dynamic NAT depending of protocol L7" Message-ID: <008101c1a368$f23b1890$1500a8c0@corp.megared.net.mx>
next in thread | raw e-mail | index | archive | help
Hi,
We work at a cable-ISP and we are using NAT & PAT to provide enough IP
Addresses to our customers.
We have experienced problems with certains applications, mostly with
peer to peer applications like MSN Messenger.
Some features like send files function don't work.
We put a sniffer and discover that when one of our customer try to send
a file to someone out of our net does this:
1.- The application opens a port ( 6891-6899 ).
2.- Sends the IP of the machine ( the private IP ) and the port that is
listening.
3.- The another peer try to connect to the private IP and the port that
it had received.
4.- The connection fails.
We modify a proxy to change the packet that the application sends with
the private IP and the local port to replace them for a public IP and
another port, then the proxy sends this changes to an application that just
maps or forwards the port that we sent to the peer outside to the real IP
and port of our costumer.
This solution works and we going to begin with the test with more
connections, but maybe is not the best solution, one disadvantage is that
the costumer must to specify a proxy and it's a hard work.
We think that if we could make this changes with ipfw or ip-filters and
then add a rule to natd or ip-nat to forward the port, it would be more
efficient.
Then we can redirect the traffic of MSN to ipfw or ip-filters and make
all transparent to our costumers.
We think that we can do this for the most important applications to
solve this problem, and its very important because we use a lot of PAT and
many applications can't work with the complete features.
Is it possible make this with ipfw ?? Is anybody working arround this
??
Any idea or comment would be helpful !!
Thanks.
Ramiro Vazquez
Megacable
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?008101c1a368$f23b1890$1500a8c0>