Date: Tue, 22 Jan 2002 19:26:03 +0200 From: Ruslan Ermilov <ru@FreeBSD.ORG> To: Ramiro V?zquez <lrvazquez@megared.net.mx> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Using ipfw to make a "Dynamic NAT depending of protocol L7" Message-ID: <20020122192603.C58453@sunbay.com> In-Reply-To: <008101c1a368$f23b1890$1500a8c0@corp.megared.net.mx> References: <008101c1a368$f23b1890$1500a8c0@corp.megared.net.mx>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 22, 2002 at 11:19:27AM -0600, Ramiro V?zquez wrote: > Hi, > > We work at a cable-ISP and we are using NAT & PAT to provide enough IP > Addresses to our customers. > > We have experienced problems with certains applications, mostly with > peer to peer applications like MSN Messenger. > Some features like send files function don't work. > We put a sniffer and discover that when one of our customer try to send > a file to someone out of our net does this: > 1.- The application opens a port ( 6891-6899 ). > 2.- Sends the IP of the machine ( the private IP ) and the port that is > listening. > 3.- The another peer try to connect to the private IP and the port that > it had received. > 4.- The connection fails. > > We modify a proxy to change the packet that the application sends with > the private IP and the local port to replace them for a public IP and > another port, then the proxy sends this changes to an application that just > maps or forwards the port that we sent to the peer outside to the real IP > and port of our costumer. > > This solution works and we going to begin with the test with more > connections, but maybe is not the best solution, one disadvantage is that > the costumer must to specify a proxy and it's a hard work. > > We think that if we could make this changes with ipfw or ip-filters and > then add a rule to natd or ip-nat to forward the port, it would be more > efficient. > > Then we can redirect the traffic of MSN to ipfw or ip-filters and make > all transparent to our costumers. > > We think that we can do this for the most important applications to > solve this problem, and its very important because we use a lot of PAT and > many applications can't work with the complete features. > > Is it possible make this with ipfw ?? Is anybody working arround this > ?? > > Any idea or comment would be helpful !! > If you know MSN protocol, it should be pretty easy to add the required glue to libalias(3) to do the necessary payload stubs, etc., so that this works transparently through a natd(8) and/or ppp(8). Cheers, -- Ruslan Ermilov Oracle Developer/DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020122192603.C58453>