Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 17 May 1996 18:13:39 -0700 (MST)
From:      Terry Lambert <terry@lambert.org>
To:        archie@whistle.com (Archie Cobbs)
Cc:        terry@lambert.org, dwhite@riley-net170-164.uoregon.edu, clintm@ICSI.Net, FreeBSD-Questions@freebsd.org
Subject:   Re: ip masquerading
Message-ID:  <199605180113.SAA21448@phaeton.artisoft.com>
In-Reply-To: <199605180106.SAA00742@bubba.whistle.com> from "Archie Cobbs" at May 17, 96 06:06:07 pm

next in thread | previous in thread | raw e-mail | index | archive | help
> > Which is to say, everyone who understands the problem.
> 
> Hmmm... guess I don't understand the problem. :-)
> 
> Just to make sure we're talking about the same thing, ``masquerading''
> means using remapped TCP and UDP port numbers to facilitate internal
> hosts connecting to external servers, even though you only have one
> machine really talking to the Internet. You give all of the outgoing
> packets the same IP address but remap their source ports so when
> traffic comes back you know who it is really destined for, do the
> reverse mapping, etc..

Which is to say, you turn on IP forwarding by default (which is illegal)
and rewrite the packet source headers on the way in and out (which is
also illegal).

> Now, as far as the rest of the Internet is concerned, it just looks
> like your one IP address happens to be generating a lot of traffic, no?

Prove it.  Run traceroute through a masquerading host.


> At least under the (not always valid) assumption that you don't run
> out of ports in your remapping range. What standards in particular are
> you referring to?

1)	Gateway
2)	Routing

Garrett explained this all before.

> Of course, some protocols (which embed address information in the
> packets, like FTP) will not work through this kind of hackery without
> even more hackery, but at least it provides a capability to certain
> folks who didn't have it before. Seems like it would be one's own
> business whether they did masquerading or not.

Writing a socks client that hooks to a tunnel driver on the machine
that needs the masquerading is a better solution, and it doesn't
require kernel hacks to get there (or source hacks for statically
linked binaries, like normal socks does).  And it does it without
violating the world.

I guess you would need to write a tunnel client daemon (instead of
putting in about twice as much work to write IP masquerading, as
well as dragging the poor kernel into the mess).

Seems like that would provide the same capability for less effort
with fewer drabacks -- but would require an OS (like FreeBSD) with
tunnel drivers to make it work.


					Terry Lambert
					terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605180113.SAA21448>