Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 25 Oct 1999 21:19:57 -0700 (PDT)
From:      "Dan Seafeldt, AZ.COM System Administrator" <yankee@az.com>
To:        freebsd-security@FreeBSD.ORG
Subject:   IPDIVERT / natd
Message-ID:  <Pine.BSF.3.91.991025201737.15720H-100000@gate.az.com>
In-Reply-To: <001e01bf1f4a$bd633660$c802a8c0@columbia.mentis.org>

next in thread | previous in thread | raw e-mail | index | archive | help

Clarification I suppose is needed ...

Take the case of HOST running natd/IPDIVERT/IPFIREWALL "open" on ethernet
lan A which it shares with at least 2 other host/gateways: GATEWAY X and
GATEWAY Y. Both GATEWAY's can be used to reach DESTINATION a.b.c.d.  HOST
receives a telnet packet from CLIENT on its incoming lan B interface bound
for DESTINATION: it chooses to forward that packet out LAN A interface to
GATEWAY X because GATEWAY X was defined as the default route, no other
qualified route exists for DESTINATION, and DESTINATION is not available
via a directly attached interface. It works, natd works, just great.
However, let's add a new twist: what if the system admin chooses to send
outbound telnet's originating from the private subnet through sniffing
GATEWAY Y using natd proxy_rule? Can this be done? Or is this beyond
natd's current scope? 

HOST lan B: 192.168.1.1
CLIENT (origin of telnet connection): 192.168.1.x
HOST lan A: x.x.x.50, default route is set to: x.x.x.100
GATEWAY X: x.x.x.100
GATEWAY Y: x.x.x.200 "the other gateway"
DESTINATION: a.b.c.d

syntax: (I tried this)

natd -a x.x.x.50 -proxy_rule type encode_ip_hdr port 23 server x.x.x.200:23

and this:

natd -a x.x.x.50 -proxy_rule type encode_tcp_stream port 23 server x.x.x.200:23

I wanted the packet forwarded to the other gateway address marked 
properly? as a forwardable packet with the target address intact.

But both ways tanked. I'm not clear on the two options anyway. But trace
looks like it might work. If I remember correctly, a gateway bound packet
has a special bit set in the IP header. Is that the missing ingredient and
if so could it be added to the proxy_rule without conflict? 

By the way, I found that:

/sbin/natd -a x.x.x.50 -proxy_rule port 23 server x.x.x.200

Does do something: it brings up 200's welcome no matter where you go,
obviously by intended design and a nifty trick, but not quite what we're
after here, although I'm sure I'll use that one elsewhere later on...

So if you have something before I go walking through the rfc's and natd
source code, much appreciated.



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.991025201737.15720H-100000>