From owner-freebsd-net@FreeBSD.ORG Mon Sep 24 20:37:29 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C67A16A419 for ; Mon, 24 Sep 2007 20:37:29 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: from hal.rescomp.berkeley.edu (hal.Rescomp.Berkeley.EDU [169.229.70.150]) by mx1.freebsd.org (Postfix) with ESMTP id 7D28313C457 for ; Mon, 24 Sep 2007 20:37:29 +0000 (UTC) (envelope-from ccowart@rescomp.berkeley.edu) Received: by hal.rescomp.berkeley.edu (Postfix, from userid 1225) id 6F7023C0482; Mon, 24 Sep 2007 13:37:29 -0700 (PDT) Date: Mon, 24 Sep 2007 13:37:29 -0700 From: Christopher Cowart To: freebsd-net@freebsd.org Message-ID: <20070924203729.GR19429@hal.rescomp.berkeley.edu> Mail-Followup-To: freebsd-net@freebsd.org References: <20070924072517.GL19429@hal.rescomp.berkeley.edu> <46F77C27.9050400@net.utcluj.ro> <200709241257.27219.max@love2party.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="YiSnftFthKPM0z4v" Content-Disposition: inline In-Reply-To: <200709241257.27219.max@love2party.net> Organization: RSSP-IT, UC Berkeley User-Agent: Mutt/1.5.16 (2007-06-09) Subject: Re: Large-scale 1-1 NAT X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2007 20:37:29 -0000 --YiSnftFthKPM0z4v Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 24, 2007 at 12:57:19PM +0200, Max Laier wrote: > On Monday 24 September 2007, Cristian KLEIN wrote: > > Christopher Cowart wrote: > > > The real question is: what's the best way to dynamically update the > > > NAT table? > > > > You may use IPFW with IPNAT or PF instead. PF is able to reload its > > configuration without disruption. Moreover, because the state table is > > not flushed during a reload, you can even move NATed clients from one > > public IP to another, without them noticing. >=20 > In fact pf comes with an almost ready-made sollution. Check out authpf(8= )=20 > for details. That looks pretty cool. The problem is these are not local users; the only way to authenticate them is to use web-based services. --=20 Chris Cowart Lead Systems Administrator Network & Infrastructure Services, RSSP-IT UC Berkeley --YiSnftFthKPM0z4v Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iQIVAwUBRvggCSPHEDszU3zYAQIKLxAAoCnvCgQj3mKqcBrEsVnnXSuKtHbaOTt2 VDPeUDK+NLc6tFVrfZ2GRVSeEK3nNrlbqeWDZtMR+XG4IMarDO41JyFt9sOY3UTb dK+s7lEA7XNQ1JZ7h6dwtiX/ZkG6wR2248+KcOgObgceegMmFXwwPqsOyAEXLnYY 6dm+aWfqgO6YWiwTGyMMUfdzdMfT33p5vfMvYmbcUKKJ4D71IGNuKmLmDmE6WY97 QgSjsGUsxGDV0hDL9x8URBCz5FrxLDtA2IMtVf5u3YZ+wCBxU8IuCYGOjox+JAmK G9zWUDpy8jIiL0xTkgFtEcGq9pYsZRMJwXcXJ+GInEonWICe0ZKAePNGePkyLk2H OwGDfCE6QyOr7mWrEQOnIxe3xAiamJ8j5EQeSM3Z3TmaCfG5ixl7w1CHDEi1TUyk B8tHCAMP/ZZhkulOcrYPW3E5GEmL8hxZ2a39xI0RNGCUFQJC4mKtAdxv4RsKHpma +uJAlxxDmPo7vWi8P+c7v5G2N+9kaweF6w3PQCmO9F2jXHTtc9TcwU2k9EKp0y9Y PfvgNA45RPcPd2P+1SV2WkXkd7VOTmKL+TuXCvsHq4e4582iFhxaxuOHaxOYVxSB as9OTmuiOZCln57eOWoRw1RPNvczx+JuMFiTwxdV5aAGK6P66/8/8zMQOVsQyY8u OmsNOHuzikI= =aKMp -----END PGP SIGNATURE----- --YiSnftFthKPM0z4v--