[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ftp-proxy's inability to proxy using arbitrary source ip addresse s

To: Adam Herscher <adam@xtime.com>
Subject: Re: ftp-proxy's inability to proxy using arbitrary source ip addresse s
From: Daniel Hartmeier <daniel@benzedrine.cx>
Date: Sat, 9 Mar 2002 01:52:53 +0100
Cc: "'misc@openbsd.org'" <misc@openbsd.org>
Content-Disposition: inline
References: <45772BAD0AD07145A9D8E522C6F05101B6DC09@axis.pacc.com>
User-Agent: Mutt/1.2.5.1i

On Fri, Mar 08, 2002 at 04:00:12PM -0800, Adam Herscher wrote:

> ISP --- <router> --rfc1918-ip-space-- (xl1)<pf firewall> --- Client
> 
> Although the point to point connection between the router and the pf
> firewall uses private ip space, pf on the firewall NATs the outside (xl1)
> interface (numbered 10.0.0.1) to a global ip address 64.1.1.1 (numbers are
> fictional, for example only).

I've never seen anyone use NAT to translate outgoing packet's source
addresses to something other than the external address of the firewall.
The router obviously sends packets for 64.1.1.1 to the firewall,
otherwise the setup wouldn't work at all. Why don't you give the
firewall's external interface the address 64.1.1.1?

If the router forwards packets with private addresses, it would _have_
to do NAT itself. If it doesn't, why use private addresses between the
router and the firewall?

Daniel

Follow-Ups:
- Re: ftp-proxy's inability to proxy using arbitrary source ip addresse s
  - From: Joe Hamelin <joe@nethead.com>
- Re: ftp-proxy's inability to proxy using arbitrary source ip addresse s
  - From: Adam Herscher <adam@xtime.com>

References:
- ftp-proxy's inability to proxy using arbitrary source ip addresse s
  - From: Adam Herscher <adam@xtime.com>

Prev by Date: Re: ntpd message
Next by Date: Re: ntpd message
Prev by thread: ftp-proxy's inability to proxy using arbitrary source ip addresse s
Next by thread: Re: ftp-proxy's inability to proxy using arbitrary source ip addresse s
Index(es):
- Date
- Thread