Date: Fri, 28 May 1999 10:43:42 +0200 (MET DST) From: Luigi Rizzo <luigi@labinfo.iet.unipi.it> To: Konstantinos.DRYLLERAKIS@DG21.cec.be Cc: freebsd-hackers@FreeBSD.ORG, freebsd-question@FreeBSD.ORG Subject: Re: ipfw/natd limitation: controlling access of an unregistered net to Message-ID: <199905280843.KAA12992@labinfo.iet.unipi.it> In-Reply-To: <WIN944-990528091513-3DA7*/G=KONSTANTINOS/S=DRYLLERAKIS/O=DG21/PRMD=CEC/ADMD=RTT/C=BE/@MHS> from "Konstantinos.DRYLLERAKIS@DG21.cec.be" at May 28, 99 11:14:27 am
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, configuring nat is a bit tricky, even more so if your machine is configured to do routing, but it is doable. In particular, you surely can filter packets before natd'ing them, using sequences like deny ip from unprivileged_ip to outside_ip deny tcp from privileged_ip to outside_ip unauthorized_service divert natd ip from prileged_ip to any (this is for the way out; i'll let you figure out what to use for pkts coming from the outside, plus additional 'recv in ifXX' etc. specifiers to put...) I think using the "via" specifier is not making the task very easy. > It is clear that only "deny" rules can be added before the "divert" > rule to control the outgoing packets of internal machines and this > can prove very tricky and tedious ]. actually you can use "skipto" rules as well if you need more complex tests. cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione http://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) http://www.iet.unipi.it/~luigi/ngc99/ ==== First International Workshop on Networked Group Communication ==== -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905280843.KAA12992>