Re: Transparent Firewall with NAT

view
thread

Score:

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Cédric THIBAULT <cedric.thibault@...>

To: <misc@...>

Subject: Re: Transparent Firewall with NAT

Date: Wednesday, October 10, 2007 - 11:59 am

2007/10/10, stuart van Zee <stuartv@datalinesys.com>:
quoted text>
> > From:
> >
> > Hello everybody,
> >
> > I work on BSD 4.1, with i386 hardware.
> >
> > I'm searching a way to enable a transparent firewall (without ip
> adress),
> > probably in bridge mode.., with a capability of NAT. I know the
> > interest is
> > not evident to nat some computers on the same IP lan, but it's
> > for a client,
> > so....!
> >
> > It seems that PF doesn't have this capability. Perhaps, it could
> > be possible
> > with an another package ?
> >
> > Thank's for your comments...
> >
> > Cidric.
>
> I am not sure you understand what NAT is.  When you use NAT to allow a
> system on one network to access another network, the traffic is NATted
> to the IP of the box doing the NAT.  In the case of a firewall like
> device, the traffic would be given the IP address of the outer interface
> of the firewall.
>
> inside box (1)----> firewall/bridge doing nat (2)-----> Internet etc.
>
> (1) network traffic leaves the inside box, it has the source IP of the
> inside box.
>
> (2) The network traffic is NATted by the firewall, when it leaves the
> outer interface of the firewall it now has the source IP address of the
> outer interface of the firewall.
>
> Any return traffic would simply take the same steps in reverse.
>
> If the firewall/bridge does not have any IP addresses, there is no way
> that NAT can occur, It has no IP address to change the source IP to.
>
> If I have this wrong somehow, please let me know.
>
> s
>
> Thank's for your comment. Unfortunately, i well understand the Nat
process.

I's right it's not seems to be interesting to nat some machine in the same
IP lan, but that is what i want.

The problem, you said it very well, it's the firewall can't assign it's own
IP adress because is in bridge mode.

So, the idea is to set a particular IP on all trafic outgoing from the
firewall.
The rule could be this one :

nat pass on bridge0 inet tagged LAN1 -> 192.168.2.3  (it's an example of an
ip pick in the LAN...)
pass in inet proto {tcp,udp, icmp} on $lan1_if <http://10.0.0.0/24> tag LAN1

I don't know if this syntax is ok, because i never tested it.

Someone knows ?

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Re: Transparent Firewall with NAT, stuart van Zee, (Wed Oct 10, 11:25 am)

Re: Transparent Firewall with NAT, Cédric THIBAULT, (Wed Oct 10, 11:59 am)

Re: Transparent Firewall with NAT, ropers, (Fri Oct 12, 5:27 pm)

Re: Transparent Firewall with NAT, Marcus Andree, (Wed Oct 10, 1:00 pm)

Navigation

Mail archive search

Popular discussions


linux-kernel:
David Newall	Re: Slow DOWN, please!!!
Renato S. Yamane	Error -71 on device descriptor read/all
Greg Kroah-Hartman	[PATCH 004/196] Chinese: add translation of SubmittingPatches
Bart Van Assche	Integration of SCST in the mainstream Linux kernel
git:
Shawn O. Pearce	libgit2 - a true git library
Martin Langhoff	Re: pack operation is thrashing my server
Aubrey Li	git proxy issue
Pierre Habouzit	git send-email improvements
netbsd-tech-kern:
Elad Efrat	Integrating securelevel and kauth(9)
Hubert Feyrer	Compressed vnd handling tested successfully
Matt Thomas	Interrupt, interrupt threads, continuations, and kernel lwps
Michael	Re: yamt-km branch
openbsd-misc:
Richard Stallman	Real men don't attack straw men
Will Maier	cron doesn't run commands in /etc/crontab?
askthelist	Packets Per Second Limit?
Harald Dunkel	Packet Filter: how to keep device names on hardware failure?

Latest forum posts


Question on swap as ramdisk partition	2 hours ago	Linux kernel
Netfilter kernel module	13 hours ago	Linux kernel
serial driver xmit problem	15 hours ago	Linux kernel
Why Windows is better than Linux	15 hours ago	Linux general
How can I see my kernel messages in vt12?	22 hours ago	Linux kernel
Grub	1 day ago	Linux general
vmalloc_fault handling in x86_64	1 day ago	Linux kernel
epoll_wait()ing on epoll FD	1 day ago	Linux kernel
Framebuffer in x86_64 causes problems to multiseat	2 days ago	Linux kernel
Difference between 2.4 and 2.6 regarding thread creation	2 days ago	Linux general

Show all forums...

Recent Tags

more tags

Colocation donated by:

Online users

Mr_Z

Syndicate