Subject: Re: Building a gateway
To: Olaf Seibert <rhialto@polder.ubc.kun.nl>
From: Greg A. Woods <woods@most.weird.com>
List: port-i386
Date: 03/18/1999 02:56:49
[ On Wednesday, March 17, 1999 at 18:15:26 (+0100), Olaf Seibert wrote: ]
> Subject: Re: Building a gateway
>
> Now we're discussing NAT, I cannot find in the documentation and
> examples if the following would work:
>
> map ed1 10.1.0.0/16 -> 240.1.0.4/31 portmap tcp/udp 2000:65000
> map ed1 10.1.0.0/16 -> 240.1.0.2/32 portmap tcp/udp 2000:65000
> map ed1 10.1.0.0/16 -> 240.1.0.1/32 portmap tcp/udp 10000:20000
>
> where I want to map internal addresses to any one of 3 external addresses
> which don't neatly fall within one netmask.
I don't know -- you'd have to try it..... (though I think the first /31
will have to be either /30 or /32)
> And rdr is not explained either...
Yes, ipnat(5) doesn't seem to be very up-to-date any more. It seems
"rdr" is not documented anywhere in the manual pages, but it is at the
web page:
<URL:http://cheops.anu.edu.au/~avalon/examples.html#redirection>
| Transparent Proxy Suppoer [sic]
|
| Transparent proxies are supported through redirection, which works in
| a similar way to NAT, except that rules are triggered by input
| packets. To effect redirection rules, ipnat must be used (same as for
| NAT) rather than ipf.
| # Redirection is triggered for input packets.
| # For example, to redirect FTP connections through this box (in this case ed0
| # is the interface on the "inside" where default routes point), to the local
| # ftp port, forcing them to connect through a proxy, you would use:
| #
| rdr ed0 0.0.0.0/0 port ftp -> 127.0.0.1 port ftp
Note that this isn't the same as the "transparent routing" feature
(using the "to" keyword in a filter rule), which as far as I can tell is
more or less capable of doing what people sometimes refer to as "layer 4
routing", or "policy based routing", eg. (untested):
pass in quick fastroute proto tcp from squid-cache to any
pass in quick on le0 to le1:squid-cache proto tcp from any to any port = WWW
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>