Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 5 Feb 1996 10:31:31 -0800 (PST)
From:      "Eric J. Schwertfeger" <ejs@bfd.com>
To:        "Paul T. Root" <ptroot@uswest.com>
Cc:        Marco Masotti <mc7953@mclink.it>, questions@FreeBSD.org
Subject:   Re: IP Masquerading
Message-ID:  <Pine.BSF.3.91.960205101350.9370A-100000@harlie.bfd.com>
In-Reply-To: <9602051524.AA01251@kermit.acs.uswest.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On Mon, 5 Feb 1996, Paul T. Root wrote:

> In a previous message, Marco Masotti said:
> > 
> > 
> > Dear Sirs,
> > 
> > I'm running release 2.1 with success and satisfaction. I appreciate very
> > much the neat and proper design since release 2.05.
> > 
> > My question is: Being intersted in IP masquerading (available from the....
> > competition)
> > is that planned or available somehow for freeBSD also?

> Try
>    ifconfig [adapter] alias [ip address] ...

Actually, this isn't what he's talking about.  The Linux implementation 
of IPFW includes some kernel mods that let a firewall translate 
(masquerade) "outgoing" requests, so that the packets have the firewall's 
IP address, and then retranslates the responses so that they get to the 
correct machine/port.

The 1.2.X is limited to protocols that don't imbed the IP address in the 
handshaking, but the 1.3.X kernels reportedly work even for non-passive FTP.

Basically, for WWW, Telnet, and passive FTP, this lets any application 
pass through the firewall without knowing the firewall is there, the 
firewalled workstations think of the firewall as just the default router.

Our firewall allows the two internal networks unrestricted access to each 
other, and masqueraded connections to the rest of the internet (this is 
important, as the people that set up the network chose arbitrary network 
addresses for one of the internal nets before I got here, and neither net 
has "real" addresses.  So basically, in order to break into our internal 
networks, which due to some dedicated hardware that doesn't allow for 
passwords, can't be secure, someone will need to find a way to take over 
the firewall, which will be dificult, since it only listens to a handfull 
of ports, none interactive (time and the like).

Works quite well, except for FTP sites that don't allow passive transfers.
In fact, that's how I get and send mail through the firewall to be on 
this list.  Masqueraded connections to our external mail server using 
SMTP/POP3 (can't SMTP in for reasons that are obvious, if I've explained 
this properly).

This "feature" is the only reason I'm using Linux on the firewall 
machine.  Well, that and how easy it was to configure 4 NE2000's.  Not 
even a kernel recompile.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960205101350.9370A-100000>