Re: Need help. ProxyARP? Other better way?

[Seth Arnold <sarnold_(_at_)_willamette_(_dot_)_edu>]

Give the OpenBSD box the four IPs that are currently assigned to www1,
www2, www3, and www4. Those four boxes will now need fake addresses of
the form 192.168.x.y or 10.x.y.z or the reserved addresses in the 172
block (I forget what they are).

Then, your ipnat "rdr" lines will redirect traffic from the four real IP
addresses on the OpenBSD box to the fake addresses on the real servers.

The packets know to get to your OpenBSD box in the first place because
your ISP has setup a gateway that knows to forward all the IPs in your
netblock through a specific T1/T3/DSL, etc. Once the packets enter your
local network, it depends on whether you have a switched or unswitched
network. In an unswitched network, whichever host decides to respond to
the IP packet will get it -- every host gets a chance to reply. In a
switched network, the switch will forward the packet onto only the port
that has that IP address. (My $120 switch has enough memory for some
8000 hosts!) (Well, ok, most switches don't care about IP addresses; it
is up to the gateway/router/other machines to ask which computer
owns a particular IP address.. this is the task of 'arp'.)

I don't know what your level of networking knowledge is. If this was all
below you, then perhaps I misunderstood your question. If some of this
sounds familiar, then I have correctly guessed. If none of this sounds
familiar, write me back and I will try to A: explain better -and- B:
point you towards documentation that will do a much more thorough job
explaining the whole setup. :)

However, I must admit, when I read your question the first time through
earlier this morning, it looked rather like you wanted an application
level proxy. In which case, you would assign the four IPs to your
OpenBSD box, find/write some software to sit on the open ports and
either forward the request to the real webservers or drop the
connection, or whatever else it is you wish to do. You wouldn't use the
rdr stuff in ipnat at that point.

I think the rdr route will be easier, but it won't protect www? from
themselves if they have the ability to execute cgi scripts that are
poorly written. The proxy route will be more work (probably) but will
likely end up more secure with the right proxy software. Chances are
good it will also be slower. (If this is what you were after, look into
the fwtk by TIS -- since they wrote it, they have been bought by NAI,
and the product extended into something commercial, Gauntlet, I think.)

HTH

* John Abbott <jabbott_(_at_)_abbotts_(_dot_)_org> [001004 12:03]:
> 
> Yes, but how do the packets know to go to the openbsd box? 
> 
> --ja
> 
> On Wed, 4 Oct 2000, Lenny Boyle wrote:
> 
> > Right..Using the ipnat rdr command you can redirect all traffic or specific
> > ports to an inside IP...this will 'translate' all incoming traffic to the
> > inside segment..
> > 
> > 
> > --Lenny
> > 
> > -----Original Message-----
> > From: John Abbott [mailto:jabbott_(_at_)_abbotts_(_dot_)_org]
> > Sent: Wednesday, October 04, 2000 9:16 AM
> > To: Wim Vandeputte
> > Cc: misc_(_at_)_openbsd_(_dot_)_org
> > Subject: Re: Need help. ProxyARP? Other better way?
> > 
> > 
> > But how do the packets get to the www boxes?  Somehow I need to tell the
> > openbsd box to answer for them.  Don't I?
> > 
> > --ja
> > 
> > 
> > 
> > On Wed, 4 Oct 2000, Wim Vandeputte wrote:
> > 
> > > 
> > > Give the OpenBSD the 4 real IP addresses of the www? boxes and use IPNAT
> > > rdr to relay the connections to the 'internal' network (to the correct
> > > host)