Date: Sat, 25 Apr 1998 02:54:25 +0000 (GMT) From: Terry Lambert <tlambert@primenet.com> To: luigi@labinfo.iet.unipi.it (Luigi Rizzo) Cc: current@FreeBSD.ORG Subject: Re: Bridging... Message-ID: <199804250254.TAA26359@usr06.primenet.com> In-Reply-To: <199804240607.IAA20557@labinfo.iet.unipi.it> from "Luigi Rizzo" at Apr 24, 98 08:07:24 am
next in thread | previous in thread | raw e-mail | index | archive | help
> + add a "linked" (or whatever name you like) command to "ifconfig" > so that you can say > > ifconfig de1 linked ed0 > > and then de1 inherits all features (ethernet and ip addresses, > aliases, netmasks...) of ed0. (Using the same ethernet addr makes > life easier when responding to ARP requests...) There are no interface flag bits left. I recently fixed this with my patch to add the "trusted" flag bit to let you tell that, if you wre to send a packet on a given socket, whether or not it would go out a trusted or untrusted interface. This is *not* a firewall definition of trust; it's basically a reimplemenetation of the Obtuse Systsems firewall attribute for the smtpd/smtpfwdd, and is used to tell whether the machine that is trying to relay mail through you is one connected to the ethernet port connected to your hub or the ethernet port connected to the Internet. It's an AntiSPAM relay facility that has low headache cost and removes the need to make DNS and full-on routing calls to see if you should let someone relay mail through you. If the interface is hooked to the hub, you allow a "RCPT TO:<anywhere>"; if it's hooked to the Internet, you only allow a "RCPT TO:<mydomains>". If you're willing to take the AntiSPAM definition of "trust" with the patches, they should apply to -current without changes. If not, you will have to manually hack out the (tiny amount) of code that adds the ability to ask the socket if the interface it will route through is "trusted". > Comments/opinions ? I would like to see the ability to set up a VPN between two non-routed internal networks; in effect, a VPN "bridge". The bridge should support DHCP. Basically, you would proxy (via NAT) between the two VPN machines, which are probably FreeBSD boxes running DHCP surrounded by PC's running Windows 95. You would need to obtain addresses in the local DHCP on behalf of the proxied net. This is pretty trivial, if you are willing to accept a limit of 256 VPN's and 65536 nodes, and use the 10/8 net. You would set each end up as 10.0/16, and then network translate the remote 10.0/16 to 10.vpn_number/16 -- block address transalation, much simpler than getting DHCP leases for each and every remote machine. This would also work with Windows 98 automatic address allocation in the 10/8 net, and with the ISC DHCP client on FreeBSD (assuming you could talk them into converting a Windows machine or two. 8-)). Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804250254.TAA26359>