(no subject)
hi everybody, my work now is to change a linux firewall with iptables to freebsd/pf/carp i migrate 6500 lines of iptables with no problem in ten day there is 400 servers to filter and maybe more in the new datacenter (1400/1700) the firewall do nat ! they have something like this: iptables -t nat -I PREROUTING -d -j DNAT --to the idea behind is that two server on the same lan behind the firewall could be seen each other like they are on internet in different place, they use webservices and they already deal with that. the first contact the second not on the lan but through the firewall with public address. the firewall must be in production next week, they just told me this new thing they want this morning (and it was not in the first part i migrate) and i finish the last three hours i must do on this project. if i didn't win ;) they stay with iptables. i try some idea http://www.openbsd.org/faq/pf/rdr.html but most of what i do for the server is binat and not rdr. i can't deal with netcat for such a project , pftpx is already a bit dirty for them instead of conntrack thank you for your help ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: (no subject)
sorry for the disturbing time i find: rdr on $if_ext proto tcp from $int_net to port 80 -> \ nat on $if_int inet from to any -> i nat on the internal interface and it is just working ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: bidirectional NAT in PF?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > sorry for the disturbing time > i find: > rdr on $if_ext proto tcp from $int_net to port 80 -> \ > > > nat on $if_int inet from to any -> > > i nat on the internal interface and it is just working Is this true, that PF supports bidirectional NAT? That is, NAT of both the source and the destination IP in a connection, at the same time? I had attempted this in the past but I could not find a rule syntax that would accomplish it. Looking at the above, it appears that this may be possible because PF processes the rulebase twice for forwarded traffic; once on input, and again on output. If the inbound packet matched a "rdr" rule, and the outbound matched a "nat" rule, this would accomplish bidirectional NAT? Interesting technique, if it works. - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFIwtZ7FSrKRjX5eCoRAgMIAJ9x6RUt1XwvKs67moiSKa+e1FMt2wCfYPJ2 GdSU08YZvJWvjFOw3zd8kpI= =92NZ -END PGP SIGNATURE- This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: bidirectional NAT in PF?
> Is this true, that PF supports bidirectional NAT? That is, NAT of > both the source and the destination IP in a connection, at the same > time? > > I had attempted this in the past but I could not find a rule syntax > that would accomplish it. Looking at the above, it appears that this > may be possible because PF processes the rulebase twice for forwarded > traffic; once on input, and again on output. If the inbound packet > matched a "rdr" rule, and the outbound matched a "nat" rule, this > would accomplish bidirectional NAT? > > Interesting technique, if it works. "binat" was not working for u ? binat on $ifext from private-ip to any -> public-ip ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: bidirectional NAT in PF?
Le Sat, 6 Sep 2008 14:14:04 -0500 "David DeSimone" <[EMAIL PROTECTED]> a pris sa plume: > rdr on $if_ext proto tcp from $int_net to port 80 -> \ > > > > > > nat on $if_int inet from to any -> > > > > i nat on the internal interface and it is just working to be more clear the priv ip and pub ip on the tww line are different and are own by the two server than must connect like they are on the net ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: bidirectional NAT in PF?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > Is this true, that PF supports bidirectional NAT? That is, NAT of > > both the source and the destination IP in a connection, at the same > > time? > > "binat" was not working for u ? > binat on $ifext from private-ip to any -> public-ip I think I am using the wrong terminology. I should probably call it "double NAT" to differentiate it. "binat" works fine but it still only changes ONE of the IP's being translated (the source IP). In PF, you can use "nat" to translate the source IP, and "redir" to change the dest IP, but what if you want to change both? There is no direct way to do this, so I am wondering if two different rules could be matched at different times during the packet's transit through the gateway. - -- David DeSimone == Network Admin == [EMAIL PROTECTED] "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFIwwSnFSrKRjX5eCoRAsVtAJ97T8ALAm7SnrAx362biLvFNK+4zwCfRblb l1wrXShJas2NfmKJYXpz/iE= =RNSP -END PGP SIGNATURE- This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you. ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
