Date: Mon, 22 Mar 1999 20:45:30 -0500 From: "Jim Flowers" <jflowers@ezo.net> To: "Matthew Reimer" <mreimer@vpop.net>, "Charles Henrich" <henrich@flnet.com>, <freebsd-hackers@FreeBSD.ORG> Subject: Re: NAT/SKIP/MTU Message-ID: <001301be74ce$d63efdd0$23b197ce@ezo.net> References: <lists.freebsd.hackers.19990322144600.A17340@orbit.flnet.com> <36F6D023.1925D6D5@vpop.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Depending on what is wanted, SKIP and NAT will cooperate nicely on the same interface. SKIP can be used for tunneled traffic over a VPN while NAT is used for non-SKIP traffic. I have posted some how-tos on freebsd-security recently but the general idea is to include appropriate matching rules in ipfw to accept the SKIP related traffic prior to being diverted by the NAT rule. This can also be used to switch individual network hosts from SKIP to NAT and back by manipulating network host rules. ----- Original Message ----- From: Matthew Reimer <mreimer@vpop.net> To: Charles Henrich <henrich@flnet.com>; <freebsd-hackers@FreeBSD.ORG> Sent: Monday, March 22, 1999 6:20 PM Subject: Re: NAT/SKIP/MTU > Are you using the latest SKIP port? There was a bug a while back in > which SKIP used the M_EOR bit in an mbuf to mark whether or not packets > had been decrypted, and this was causing problems with large packets. > > But at this point NAT and SKIP won't cooperate on the same interface, > because NAT (since it runs in userland) doesn't have access to mbufs > (where SKIP keeps track of which packets have been encrypted). The best > fix seems to be to convert SKIP to a userland program using DIVERT > sockets. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001301be74ce$d63efdd0$23b197ce>