Re: Hiding NATs with PF

From: Greg Hennessy (me_at_privacy.org)
Date: 09/28/05

  • Next message: jpd: "Re: Hiding NATs with PF" 
    Date: Wed, 28 Sep 2005 18:01:12 +0100

    On 28 Sep 2005 07:53:23 -0700, "Max Bolingbroke"
    <batterseapower@hotmail.com> wrote:

    >> What are you protecting yourself against exactly ?
    >
    >Well, the problem is that I am going to be connecting to a network
    >which has a strict limit of 1 IP address per person but also
    >inexplicably has a policy where you are not allowed to run your own
    >router. I'm trying to circumvent this restriction :). If you don't want
    >to help me given this, I would understand.

    How do they 'enforce' this policy exactly ? I've worked in environments
    with ridiculous policies because some clueless idiot copied something out
    of a textbook.

    Dictating the network architecture of an external 3rd party would fit the
    'ridiculous' category.

    Dictating to anyone connecting over the internet that they cannot have a
    router and are required to directly expose their network would definitely
    fit into the 'ridiculous' category.

    >
    >> > Are there any further ways I can have PF munge my
    >> >outgoing packets so look like they all come from the same flavour of TCP
    >> >stack?
    >>
    >> You mean a http://lcamtuf.coredump.cx/p0f-help/
    >> response looking something like ?
    >>
    >> UNKNOWN [65535:56:1:64:M1438,N,W3,N,N,T,S,E:P:?:?] (up: 8454 hrs) ->
    >> 213.134.128.25:80 (link: unknown-1478)
    >
    >That would be nice, but I've been using that page to diagnose my setup
    >and it stubbonly tells me I am running OpenBSD whatever I do. How did
    >you achieve this signature?

    That's done using transparent squid in the middle.

    >With PF?

    Yep, worked a treat on OpenBSD and currently on Free.

    Regarding Daniel's comment on proxies, you could do a lot worse than using
    the Dante socks proxy (dunno if it's in the OpenBSD ports tree, it is in
    FreeBSD)

    If you're using win32 on the LAN side of your network adding sockscap to
    the mix makes using it seamless from all applications.

    Greg

    >
    >Thanks for your reply,
    >
    >Max 

    -- 
"Access to a waiting list is not access to health care"
  • Next message: jpd: "Re: Hiding NATs with PF"

    Relevant Pages

    • Re: Installing a 360 Media Center Extender
      ... Also, what is the make/model/driver version of the network card in your PC, ... This posting is provided "AS IS" with no warranties, and confers no rights. ... try directly connecting your PC and Xbox again, ...
      (microsoft.public.windows.mediacenter)
    • Re: Group Policy loading
      ... behaviour connecting the new Intel D915GUX motherboard based computer ... The motherboard utilizes an on-board Marvell Yukon 1GB network card. ... has something to do with network drivers. ...
      (microsoft.public.win2000.group_policy)
    • Problems uploading large files to some web sites (long)
      ... NATted OBSD 3.1 running pf with all internal hosts connecting via ethernet through a switch or a wireless access point connected to the switch. ... On or about the time the servers were moved to the Yahoo net I became unable to upload photos via their upload form. ... Trying the same tests on my home network, but with my desktop connected via a VPN to the office network. ...
      (comp.unix.bsd.openbsd.misc)
    • RE: Speed test for connecting to Oracle for Windows via ODBC
      ... 'ask support' response may not be helpful in many of these cases. ... Speed test for connecting to Oracle for Windows via ODBC ... Your "blame the network guy statements" miss the point that for a lot of us ...
      (perl.dbi.users)
    • Re: ActiveSync 4.1 USB Forever Connecting Problem Fixed - Cisco VPN Co
      ... The whole purpose of a firewall is to ... prevent things from happening like external devices connecting to network ... Previously I had ActiveSync 3.8 ...
      (microsoft.public.pocketpc.activesync)