|Marco Masotti||Feb 5, 1996 6:13 am|
|Jerry Kendall||Feb 5, 1996 6:19 am|
|Paul T. Root||Feb 5, 1996 7:24 am|
|Dave Andersen||Feb 5, 1996 9:25 am|
|Marco Masotti||Feb 5, 1996 10:17 am|
|Garrett A. Wollman||Feb 5, 1996 10:26 am|
|Eric J. Schwertfeger||Feb 5, 1996 10:31 am|
|Nate Williams||Feb 5, 1996 12:04 pm|
|Dave Glowacki||Feb 5, 1996 1:58 pm|
|Terry Lambert||Feb 5, 1996 2:31 pm|
|Terry Lambert||Feb 5, 1996 2:33 pm|
|Brian Tao||Feb 5, 1996 4:09 pm|
|Michael Smith||Feb 5, 1996 5:12 pm|
|Pedro A M Vazquez||Feb 11, 1996 8:07 am|
|Subject:||Re: IP Masquerading|
|From:||Eric J. Schwertfeger (ej...@bfd.com)|
|Date:||Feb 5, 1996 10:31:11 am|
On Mon, 5 Feb 1996, Paul T. Root wrote:
In a previous message, Marco Masotti said:
I'm running release 2.1 with success and satisfaction. I appreciate very much the neat and proper design since release 2.05.
My question is: Being intersted in IP masquerading (available from the.... competition) is that planned or available somehow for freeBSD also?
Try ifconfig [adapter] alias [ip address] ...
Actually, this isn't what he's talking about. The Linux implementation of IPFW includes some kernel mods that let a firewall translate (masquerade) "outgoing" requests, so that the packets have the firewall's IP address, and then retranslates the responses so that they get to the correct machine/port.
The 1.2.X is limited to protocols that don't imbed the IP address in the handshaking, but the 1.3.X kernels reportedly work even for non-passive FTP.
Basically, for WWW, Telnet, and passive FTP, this lets any application pass through the firewall without knowing the firewall is there, the firewalled workstations think of the firewall as just the default router.
Our firewall allows the two internal networks unrestricted access to each other, and masqueraded connections to the rest of the internet (this is important, as the people that set up the network chose arbitrary network addresses for one of the internal nets before I got here, and neither net has "real" addresses. So basically, in order to break into our internal networks, which due to some dedicated hardware that doesn't allow for passwords, can't be secure, someone will need to find a way to take over the firewall, which will be dificult, since it only listens to a handfull of ports, none interactive (time and the like).
Works quite well, except for FTP sites that don't allow passive transfers. In fact, that's how I get and send mail through the firewall to be on this list. Masqueraded connections to our external mail server using SMTP/POP3 (can't SMTP in for reasons that are obvious, if I've explained this properly).
This "feature" is the only reason I'm using Linux on the firewall machine. Well, that and how easy it was to configure 4 NE2000's. Not even a kernel recompile.