[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ftp-proxy's inability to proxy using arbitrary source ip addresse s
On Fri, Mar 08, 2002 at 04:00:12PM -0800, Adam Herscher wrote:
> ISP --- <router> --rfc1918-ip-space-- (xl1)<pf firewall> --- Client
> Although the point to point connection between the router and the pf
> firewall uses private ip space, pf on the firewall NATs the outside (xl1)
> interface (numbered 10.0.0.1) to a global ip address 184.108.40.206 (numbers are
> fictional, for example only).
I've never seen anyone use NAT to translate outgoing packet's source
addresses to something other than the external address of the firewall.
The router obviously sends packets for 220.127.116.11 to the firewall,
otherwise the setup wouldn't work at all. Why don't you give the
firewall's external interface the address 18.104.22.168?
If the router forwards packets with private addresses, it would _have_
to do NAT itself. If it doesn't, why use private addresses between the
router and the firewall?