Re: Quick question about the tired ipf/ipnat/"dmz"/bridge scenario
From: Bruce A. Mah (bmah_at_freebsd.org)
Date: 12/23/04
- Previous message: Jeff Behl: "RE: %cpu in system - squid performance in FreeBSD 5.3"
- In reply to: Andrew Heyn: "Quick question about the tired ipf/ipnat/"dmz"/bridge scenario"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: Andrew Heyn <aheyn@jmsent.com> Date: Thu, 23 Dec 2004 14:07:01 -0800
If memory serves me right, Andrew Heyn wrote:
> Quoting http://www.moatware.com/support/docbook/faq-bridge.html,
>
> 10.8. Why can't hosts on a NATed interface talk to hosts on a bridged
> interface?
> This frequently happens when someone wants to bridge an interface to their
> WAN to use it as a DMZ, and wants to put all of the hosts on their LAN
> interface behind a NAT. This is actually a fairly reasonable and natural
> thing to want to do.
Interesting. This text is part of a document that appears to be, almost
verbatim, copied from the documentation from m0n0wall, a FreeBSD-based
firewall package. The original is at:
I have some thoughts about this, but they're way off-topic for this
list.
> The problem here is that ipnat and bridging (at least as implemented in
> FreeBSD) don't play well together. Packets from the LAN to the DMZ go out
> just fine, but in the other direction, it seems like the packets arriving on
> the unnumbered bridge interface don't get looked up correctly in the ipnat
> state tables.
>
> I've managed to convince myself that solving this is Really Really Hard
> (TM). The irritating thing is that there's no theoretical reason why this
> should be difficult...it all comes down to implementation details.
>
>
> Is there any way at all, even with kludges, to get this to work? I'd be
> extremely interested if there was any to accomplish this, as specified
> above.
I wrote this after I implemented m0n0wall's filtered bridging feature
and had about a dozen people ask me this question, which is a reasonable
question to ask, but tiring after you've heard it more than about five
times. :-p
My memory is a bit hazy but I think the problem was ipnat doesn't know
that packets arriving on the unnumbered bridge interface need to have
inbound NAT stuff done to them. It would need to know or figure out
that the inbound interface was in a bridging group and that one of the
other interfaces in the group was the interface being used for outbound
NAT packets.
I bet one could probably get this to work, if they were willing to hack
up IPFilter and get it to understand the bridge(4) data structures.
Bruce.
- application/pgp-signature attachment: This is a digitally signed message part
- Previous message: Jeff Behl: "RE: %cpu in system - squid performance in FreeBSD 5.3"
- In reply to: Andrew Heyn: "Quick question about the tired ipf/ipnat/"dmz"/bridge scenario"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
