Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 25 Mar 2002 21:27:18 -0800
From:      Randy Bush <randy@psg.com>
To:        FreeBSD Stable <freebsd-stable@freebsd.org>
Subject:   getting around an address-leaking natted application
Message-ID:  <E16pjUM-000Krw-00@rip.psg.com>
next in thread | raw e-mail | index | archive | help 
well-traveled laptop 
    with wi0 802.11b pc card
    running freebsd 4.5-stable
    vmware under it
    win98se under that

and i am communicating to it from a palm pilot with 802.11b

netgraph will not work with the wi pc card, so i have to use ipfw
and natd hacks to make the win98 vmware client visible on the net.
e.g.

ipfw.rules

    flush
    add divert natd all from any to any via wi0
    add pass all from any to any

natd.conf

    dynamic yes
    unregistered_only yes
    interface wi0
    # so the win98 vmware client can be browsed
    redirect_port tcp 192.168.254.2:137-139 137-139
    redirect_port udp 192.168.254.2:137-139 137-139
    # so the palm 802.11 hot-sync works
    redirect_port udp 192.168.254.2:14237-14239 14237-14239
    redirect_port tcp 192.168.254.2:14237-14239 14237-14239

this actually works (thanks to Bob K <melange@yip.org> for some
pointers and finding a stupid bug) with one problem.

the palm hot-sync on the win98 client seems to embed what it thinks
is its ip address, 192.168.254.2, within some data packet or
another.  so, to make it work, i had to go to my lan's default
router and add

    ip route 192.168.254.0 255.255.255.0 <public ip of freebed>

as this is a well-traveled laptop, i don't want to count on a hack
to the local default router.  it's a pretty grotty hack anyway.

i am looking for other bright ideas.  some mediocre ones that have
occurred to me

  o hack proxy arp on the laptop.  but in many many years on net, i
    have abjured proxy arp.  if i have to do this, what is the
    recommended tool/hack?

    but a tcpdump did not show the puppy arping to find the natted
    192.168.  this makes sense, as why should it arp when it knows
    that the target can not be on the interface and needs to be
    routed?

  o don't let the palm pilot dhcp, and hand configure it every time
    and place to point to the laptop's public address for its
    default route.  awfully inconvenient.

surely i am missing something obvious and not too disgusting here.

randy

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E16pjUM-000Krw-00>