Date: Wed, 23 Jan 2002 16:25:52 -0600 From: =?iso-8859-1?Q?Ramiro_V=E1zquez?= <lrvazquez@megared.net.mx> To: "Ruslan Ermilov" <ru@FreeBSD.ORG> Cc: <freebsd-ipfw@FreeBSD.ORG> Subject: Re: Using ipfw to make a "Dynamic NAT depending of protocol L7" Message-ID: <002801c1a45c$ed273240$1500a8c0@corp.megared.net.mx> References: <008101c1a368$f23b1890$1500a8c0@corp.megared.net.mx> <20020122192603.C58453@sunbay.com>
next in thread | previous in thread | raw e-mail | index | archive | help
OK,
I going to make some tests and I'll tell you if I can make it.
Thanks a lot!
Ramiro.
Megacable.
----- Original Message -----
From: "Ruslan Ermilov" <ru@FreeBSD.ORG>
To: "Ramiro V?zquez" <lrvazquez@megared.net.mx>
Cc: <freebsd-ipfw@FreeBSD.ORG>
Sent: Tuesday, January 22, 2002 11:26 AM
Subject: Re: Using ipfw to make a "Dynamic NAT depending of protocol L7"
> On Tue, Jan 22, 2002 at 11:19:27AM -0600, Ramiro V?zquez wrote:
> > Hi,
> >
> > We work at a cable-ISP and we are using NAT & PAT to provide enough
IP
> > Addresses to our customers.
> >
> > We have experienced problems with certains applications, mostly with
> > peer to peer applications like MSN Messenger.
> > Some features like send files function don't work.
> > We put a sniffer and discover that when one of our customer try to
send
> > a file to someone out of our net does this:
> > 1.- The application opens a port ( 6891-6899 ).
> > 2.- Sends the IP of the machine ( the private IP ) and the port that
is
> > listening.
> > 3.- The another peer try to connect to the private IP and the port
that
> > it had received.
> > 4.- The connection fails.
> >
> > We modify a proxy to change the packet that the application sends
with
> > the private IP and the local port to replace them for a public IP and
> > another port, then the proxy sends this changes to an application that
just
> > maps or forwards the port that we sent to the peer outside to the real
IP
> > and port of our costumer.
> >
> > This solution works and we going to begin with the test with more
> > connections, but maybe is not the best solution, one disadvantage is
that
> > the costumer must to specify a proxy and it's a hard work.
> >
> > We think that if we could make this changes with ipfw or ip-filters
and
> > then add a rule to natd or ip-nat to forward the port, it would be more
> > efficient.
> >
> > Then we can redirect the traffic of MSN to ipfw or ip-filters and
make
> > all transparent to our costumers.
> >
> > We think that we can do this for the most important applications to
> > solve this problem, and its very important because we use a lot of PAT
and
> > many applications can't work with the complete features.
> >
> > Is it possible make this with ipfw ?? Is anybody working arround
this
> > ??
> >
> > Any idea or comment would be helpful !!
> >
> If you know MSN protocol, it should be pretty easy to add the required
> glue to libalias(3) to do the necessary payload stubs, etc., so that
> this works transparently through a natd(8) and/or ppp(8).
>
>
> Cheers,
> --
> Ruslan Ermilov Oracle Developer/DBA,
> ru@sunbay.com Sunbay Software AG,
> ru@FreeBSD.org FreeBSD committer,
> +380.652.512.251 Simferopol, Ukraine
>
> http://www.FreeBSD.org The Power To Serve
> http://www.oracle.com Enabling The Information Age
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-ipfw" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002801c1a45c$ed273240$1500a8c0>