Date: Tue, 4 Feb 2003 11:42:28 -0500 From: Mikhail Teterin <mi+mx@aldan.algebra.com> To: net@FreeBSD.org Subject: Re: Does natd(8) really need to see _all_ packets? Message-ID: <200302041142.28554.mi%2Bmx@aldan.algebra.com> In-Reply-To: <1044321596.358.69.camel@zaphod.softweyr.com> References: <200302040027.30781@aldan> <1044321596.358.69.camel@zaphod.softweyr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 03 February 2003 08:19 pm, Wes Peters wrote:
= On Tue, 2003-02-04 at 05:27, Mikhail Teterin wrote:
= > Hi!
= >
= > This question bothered me for a while -- most of the traffic on my
= > LAN is just that -- local. Yet my gw/firewall machine only has one
= > interface -- with two IP addresses -- private and public on it.
= >
= > The DSL modem is plugged into the switch just like everything else.
= >
= > I doubt this is a unique setup.
= It may not be unique, but it's certainly not very bright. What
= resource are you trying to conserve here, a $4 network interface? If
= so, I can give you a handful of them; one of the local office supply
= stores was giving them away last December and I picked up several...
Using two cards, were one works fine is against aesthetics :-) That's my
primary reason, although there are only two slots left in the machine,
indeed.
On Tuesday 04 February 2003 09:52 am, Ruslan Ermilov wrote:
= This still isn't perfect. In a situation with a single NIC serving
= both internal and external traffic, I've found the following solution
= to be the superior: use a distinct IP address (it's not even has
= to be bound to a local interface) that allows you to skip not only
= local->remote traffic, but reply packets, i.e. it allows you to
= differentiate whether incoming (external) packet is for de-natting or
= not.
Yes, I thought of this -- have the 10.0.1.100 to be local address, and
the 10.0.1.1 be the gateway, and treat them differently. But I found,
it is not needed -- the two divert rules I listed:
add divert natd all from LN to not LN via IF out
add divert natd all from not LN to OIP via IF in
seem to remove all unnecessary interactions with natd. The simplest test
is to kill the running natd, and start it with the -v option. It will
list all packets in and out. If a packet leaves natd unchanged, the
divert rules are inefficient.
Would the following patch (untested) improve things in the mean time?
--- /etc/rc.firewall Sun Mar 3 08:15:46 2002
+++ /etc/rc.firewall Tue Feb 4 11:40:25 2003
@@ -237,3 +237,4 @@
if [ -n "${natd_interface}" ]; then
- ${fwcmd} add divert natd all from any to any via
${natd_interface}
+ ${fwcmd} add divert natd all from ${inet} to not
${inet} out
+ ${fwcmd} add divert natd all from not ${inet} to
${oif} in
fi
= As opposed to the firewall(7) example, I usually implement a block
= with two "divert natd" rules (for outgoing local and incoming external
= packets), and "skipto" this block when appropriate.
I think, you are describing the same thing I do :-)
On Tuesday 04 February 2003 01:32 am, Barney Wolff wrote:
= > # Stop spoofing
= > # How?
=
= You've pointed out for yourself the fatal problem with this setup. Get
= a cheap 10baseT card to talk to the dsl modem. Are you out of slots?
Almost. Also, see the beginning, where I anser the similar question to
Wes. Since part of my LAN is wireless, I'm going to need to setup IPsec
anyway, so spoofing will not be a big deal. It can also be frustrated
(although, not stopped) by explicitly listing the LAN's MAC-addresses,
can it not?
Finally, since the LAN consists of the private network addresses, which
are not allowed through ISPs routers from the outside, the only danger
is another subscriber on the same segment of the ISPs network or a
wireless LAN user nearby (who needs to defeat the WEP first, easy though
it might be).
I do realize the dangers, and will, probably, add a card eventually, but
that may not be an option for others -- even $4 is plenty in Crimea, where
ru is located, for example. So I wanted to refine the example, so it can
be eventually used by others -- if not as an example of a firewall, than
as an efficient NAT setup :-)
= If you insist on using only one nic, putting a "pass ip LN LN" right
= after the lo0/127 rules will minimize overhead for local traffic.
Makes sense. Thank you!
= If you need protection from the other hosts on your lan there are
= things running on your firewall that should not be there.
NFS and Samba are the only things, it seems. I only turn the servers on
when I need them, however...
Thanks once again, everyone! Yours,
-mi
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302041142.28554.mi%2Bmx>