Re: socket / bind - specific address

On Sat, Feb 25, 2006 at 08:47:00AM -0500, Chuck Swiger wrote:
Edwin Groothuis wrote:
The situation is as follows:

We have a couple of FreeBSD routers, with RFC1918 addresses on the
ethernets and a public address on the loopback. This works fine for
connecting to the routers, but is problematic for locally originated
outgoing traffic (think NTP, think syslog): it takes the IP address
of the outgoing interface, which is the RFC1918 address.

You're giving lo0 a public IP? Why?

So that it's always reachable. The machines are routers (i.e. one
or more LAN interfaces, one or more WAN interfaces). If one WAN
interface is down, traffic will follow a different path. The loopback
interface is always up, so it's always reachable.

If you want to reach the box via a public IP and are using 1-to-1 NAT
translation to deliver the traffic to one of your NICs using unroutable RFC-1918
addresses, why not configure that NIC to also have the public IP, too?

The IP used for locally originated traffic should be governed by the address
specified in the bind() call; if you want that to be different, normally you
configure the associated software being run to use something else.

Yes, but what if the software doesn't support it? Like said, I could
try a jail but I wonder what kind of limitations that brings on
what the software can do. For example, does xntpd work inside a
jail, does snmpd work inside a jail etc.

I don't know how to override the default the kernel hands you if you leave the
decision up to it, short of crafting the packets yourself or using some external
capability like NAT to re-write the addresses being used.

Problem is that the incoming interface doesn't need to match the
outgoing interface, and that confuses ipnat (been there, done that,
forced the route) and that it causes other problems.

Edwin
--
Edwin Groothuis | Personal website: http://www.mavetju.org
edwin@xxxxxxxxxxx | Weblog: http://weblog.barnet.com.au/edwin/
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: GRE/IPSEC Tunnel and loopback interface
    ... I have two internal routers with a serial interface connected to a "public" ... As a backup link, I have to configure a GRE/IPSEC tunnel between routers, ... Problem is that I'm not using loopback interfaces on my routers (I know... ...
    (comp.dcom.sys.cisco)
  • several vulnerabilities present in Belkin wireless routers
    ... several vulnerabilities present in Belkin wireless routers ... - default telnet backdoor ... different Belkin wireless routers. ... NOT accessible through the administrative web interface. ...
    (Bugtraq)
  • Re: Point to Point T1
    ... with a WIC T1 interface card in both of them. ... serial0 interfaces between the routers, but I cannot see through to ... above that I would like to DHCP over them, but now I am just going to ... serial interface address) ...
    (comp.dcom.sys.cisco)
  • IP Stack no activated.
    ... I'm trying to connect two routers via a serial ... but the IP stack on the interface cannot even open. ... Serial1/0 is up, line protocol is up ... output buffer failures, ...
    (comp.dcom.sys.cisco)
  • Re: problems pinging between FastEthernet and Ethernet interfaces
    ... I'm having some problems with a link between two Cisco routers. ... Ethernet interface. ... routing protocol will not matter. ... The best thing is to post the config of the relevant interfaces. ...
    (comp.dcom.sys.cisco)