[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipnat rdr question

To: Aaron Jackson <jackson@negril.msrce.howard.edu>
Subject: Re: ipnat rdr question
From: Matthew Patton <patton@sysnet.net>
Date: Wed, 11 Mar 1998 19:32:50 -0400
Cc: misc@openbsd.org

'rdr' in combination with NAT doesn't work right. It's a bug that so far
Darren hasn't admitted to yet. I'll have to find it and show it to him and
then we'll have it fixed.

In principle, you need:

rdr ppp0 ppp0's_address port = xdmcp -> macintosh_ip port = xdmcp

Ipf.rules needs to read:
pass in on ppp0 proto tcp from any port > 1023 to ppp0_address/32 port = xdmcp
pass out on ppp0 proto tcp from macintosh port = xdmcp to any port > 1023

Note that the destination address of the 1st line was ppp0's address and
NOT the macintosh's. Darren insists that this is wrong and that it should
be the mac's. He is correct but therein lies the bug. It doesn't WORK and I
have the stats and filters to prove it. The 'map' and NAT combination works
just fine.

There is a workaround which I personally have not tested and isn't pretty
that calls for adding

map ppp0 macintosh_ip port = xdmcp -> ppp0_address port = xdmcp

This bascially 'cheats' in that 'rdr' is only used for the first incoming
packet  and then on uses the 'map' rule to continue. I think the model will
breakdown entirely if you try to do multiple inside hosts and TCP port
mapping.

Good luck and let us know how it turns out.

--------
"I've always thought we could solve a lot of problems if we didn't let
managers read PC magazines." - Corporate Software & Technology's Mickey
McIntire

References:
- ipnat rdr question
  - From: Aaron Jackson <jackson@negril.msrce.howard.edu>

Prev by Date: Re: [OPENBSD] X doesn't seem to work (fwd)
Next by Date: Re: Bad Magic ?!
Prev by thread: ipnat rdr question
Next by thread: natd and Quake
Index(es):
- Date
- Thread