Hummm maybe I misunderstand but that look more like a proxy no? FranC'ois Rousseau
On 10/15/07, CC)dric THIBAULT <[EMAIL PROTECTED]> wrote: > Firstly, thanks for your comments, > > 2007/10/12, ropers <[EMAIL PROTECTED]>: > > > > I don't fully understand your email, because some of your sentences > > aren't really gramatically correct, and some of them don't seem to me > > to be "technologically correct" (ie. the technology questions in them > > don't seem to make sense to me). From reading this thread, I suspect > > others are having similar problems. > > > Yes, it's true i'm not a native english. Sorry for my sentences which smell > good french pronunciation... I will do my best for avoid this mistakes.. > > > Let me look at what you wrote: > > > > On 10/10/2007, Cidric THIBAULT <[EMAIL PROTECTED]> wrote: > > > Hello everybody, > > > > > > I work on BSD 4.1, with i386 hardware. > > > > > > I'm searching a way to enable a transparent firewall (without ip > > adress), > > > probably in bridge mode.., with a capability of NAT. > > > > Let me stop you there. Normally, you would EITHER use your OpenBSD box > > to do NAT, OR you would set your OpenBSD box up as a bridge. Let's > > take a step back and instead of talking about things in the abstract, > > let's make plain what you're trying to do: > > > > - Do you have a network w/ multiple hosts on the same physical network > > segment? > > - Do these hosts have private or public IP addresses? > > - Are these hosts' IP addresses in the same (logical) subnet? I.e. are > > they using the same network address and subnet mask, e.g. > > xxx.yyy.zzz.0/24? > > - You've mentioned bridging. Which hosts do you want to separate with > > a bridge? Are these hosts on the same logical subnet (and possibly > > already on the same physical network segment)? If they aren't, then > > how is what you're trying to do bridging? > > - You've mentioned NATing. Normally this involves translating between > > two DIFFERENT logical networks. What do you mean by "enable a > > transparent firewall (...) in bridge mode.., with a capability of > > NAT"? Do you want to set up a bridge NOW and only possibly separate > > your network LATER, and then change your OpenBSD bridge to an OpenBSD > > NAT router? > > > > I ve got 2 physical network which are on the same IP subnet with the same > netmask. The openBSD is in middle of this networks. For exemple : > > LAN1------------------------- OPEN BSD ------------------- LAN 2 > 192.168.0.1-10 INET1 - INET2 192.168.0.15-20 > 255.255.255.0 > 255.255.255.0 > > > > I know the interest is > > > not evident to nat some computers on the same IP lan, but it's for a > > client, > > > so....! > > > > Hm. Forgive my skepticism, but has the client asked you to put in a > > bridge that does NAT? Do you understand what they want? Do they? > > > I don't know precisely why he wants that, but for information i know cisco > offers this possibilitie. > > > It seems that PF doesn't have this capability. Perhaps, it could be > > possible > > > with an another package ? > > > > OpenBSD/PF can do NAT while filtering the NATted traffic. > > OpenBSD/PF can also be used to set up a transparent bridge that is > > invisible to users, yet filters traffic. This can be done "out of the > > box"; no extra packages are required. I have personally in the past > > set up such an OpenBSD bridge. In my case, this was a physical network > > segment with multiple hosts, only some of which were under my control. > > The foreign and my own hosts were also on the same (logical) subnet. I > > needed to protect one of the hosts from the others (especially the > > ones I didn't control). That sensitive host was a Windows Server 2003 > > box ((which by default comes w/o a firewall and the Windows Firewall, > > while available in a service pack, cannot be enabled on Domain > > Controllers without serious hacking; really; it boggles the mind)). So > > I connected stuff thus: > > > > W2K3 Srv <---> OpenBSD bridge <---> rest of network, incl. Internet > > gateway > > > > I set up the bridge and configured pf.conf so that those boxes that > > needed to talk to the server could do so. It was NOT a totally > > bulletproof solution, but it was the best I could come up with, given > > the constraints I was operating within. > > > Your description is very interesting and i'm agree with your opinion. But my > question is : > > Can i NAT an IP adress wich is not assign to my network interface, and > configure arp for > be able to receive an IP data destined to the IP i NAT ? If i keep my > precedent exemple : > > > LAN1------------------------- OPEN BSD ------------------- LAN 2 > 192.168.0.1-10 INET1 - INET2 192.168.0.15-20 > 255.255.255.0 > 255.255.255.0 > > With INET1 and INET2 in promiscious mode without IP adress assigned, i would > know if i could NAT the LAN1 with an arbitrary adress (192.168.0.11 for > exemple) and capture the answers to forward them to LAN1 (with a specific > ARP configuration perhaps..). With this configuration, LAN2 uses only 1 > address to communicate with LAN1, but can't ping or touch the Firewall which > is totally transparent.. > > Maybe you could describe your network like I did above. I think that > > would help me and possibly others to understand you better. Please be > > specific. > > > So, i hope that my problem is more clear now. I don't know if it's realistic > to try something like that... > > Thanks and regards, > > --ropers > > > Thank's and sorry again for my sentences :-}
