From owner-freebsd-questions Mon Feb 5 10:30:47 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id KAA15556 for questions-outgoing; Mon, 5 Feb 1996 10:30:47 -0800 (PST) Received: from horst.bfd.com ([204.160.242.10]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id KAA15550 for ; Mon, 5 Feb 1996 10:30:44 -0800 (PST) Received: from harlie.bfd.com (bastion.bfd.com [204.160.242.2]) by horst.bfd.com (8.7.3/8.7.3) with SMTP id KAA08912; Mon, 5 Feb 1996 10:26:25 -0800 (PST) Date: Mon, 5 Feb 1996 10:31:31 -0800 (PST) From: "Eric J. Schwertfeger" To: "Paul T. Root" cc: Marco Masotti , questions@FreeBSD.org Subject: Re: IP Masquerading In-Reply-To: <9602051524.AA01251@kermit.acs.uswest.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-questions@FreeBSD.org Precedence: bulk On Mon, 5 Feb 1996, Paul T. Root wrote: > In a previous message, Marco Masotti said: > > > > > > Dear Sirs, > > > > I'm running release 2.1 with success and satisfaction. I appreciate very > > much the neat and proper design since release 2.05. > > > > My question is: Being intersted in IP masquerading (available from the.... > > competition) > > is that planned or available somehow for freeBSD also? > Try > ifconfig [adapter] alias [ip address] ... Actually, this isn't what he's talking about. The Linux implementation of IPFW includes some kernel mods that let a firewall translate (masquerade) "outgoing" requests, so that the packets have the firewall's IP address, and then retranslates the responses so that they get to the correct machine/port. The 1.2.X is limited to protocols that don't imbed the IP address in the handshaking, but the 1.3.X kernels reportedly work even for non-passive FTP. Basically, for WWW, Telnet, and passive FTP, this lets any application pass through the firewall without knowing the firewall is there, the firewalled workstations think of the firewall as just the default router. Our firewall allows the two internal networks unrestricted access to each other, and masqueraded connections to the rest of the internet (this is important, as the people that set up the network chose arbitrary network addresses for one of the internal nets before I got here, and neither net has "real" addresses. So basically, in order to break into our internal networks, which due to some dedicated hardware that doesn't allow for passwords, can't be secure, someone will need to find a way to take over the firewall, which will be dificult, since it only listens to a handfull of ports, none interactive (time and the like). Works quite well, except for FTP sites that don't allow passive transfers. In fact, that's how I get and send mail through the firewall to be on this list. Masqueraded connections to our external mail server using SMTP/POP3 (can't SMTP in for reasons that are obvious, if I've explained this properly). This "feature" is the only reason I'm using Linux on the firewall machine. Well, that and how easy it was to configure 4 NE2000's. Not even a kernel recompile.