Re: GRE and PF problem
From: Giovanni P. Tirloni (gpt_at_tirloni.org)
Date: 07/14/05
- Previous message: Danny Braniss: "Re: tcp troughput weirdness"
- In reply to: Alex Povolotsky: "Re: GRE and PF problem"
- Next in thread: Alex Povolotsky: "Re: GRE and PF problem"
- Reply: Alex Povolotsky: "Re: GRE and PF problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 14 Jul 2005 09:51:48 -0300 To: Alex Povolotsky <tarkhil@webmail.sub.ru>
Alex Povolotsky wrote:
> compunction wrote:
>
>> GRE needs to pass bidirectional. You will need a binat to make it
>> work. I have not found a firewall that will allow GRE to work with a
>> many to one nat.
>>
>>
>
> The most painful thing is that pf's nat works for GRE - SOMETIMES :-(
>
> The only thing firewall needs to implement for natting GRE is creation
> of two rules (forward and back) for GRE packet, just like it does for ICMP.
>
> I'm not a firewall writer, but as far as I understand general procedural
> programming, it cannot be THAT complicated.
When a packet comes from 1.2.3.4 to your external interface you can't
determine if it's destined to 192.168.0.1 or 192.168.0.2 if both
initiated a GRE tunnel to 1.2.3.4. That's because GRE doesn't have ports
like UDP or TCP to make (de)multiplexing possible, AFAIK.
http://www.networksorcery.com/enp/protocol/gre.htm
-- Giovanni P. Tirloni / gpt@tirloni.org / PGP: 0xD0315C26 _______________________________________________ freebsd-net@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
- Previous message: Danny Braniss: "Re: tcp troughput weirdness"
- In reply to: Alex Povolotsky: "Re: GRE and PF problem"
- Next in thread: Alex Povolotsky: "Re: GRE and PF problem"
- Reply: Alex Povolotsky: "Re: GRE and PF problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
