Re: Funky Firewall - Engineering Request

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MBill Jonas at <-
Mtechnomage at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Jay
Date:  
To: PLUG Discuss
Subject: Re: Funky Firewall - Engineering Request


Ah! Right you are! I said it was early in the morning when I posted. :)
I missed your point about full NAT and was just thinking of the
bastardization of the term to mean masquerading. :)

~Jay


On Sat, 8 Jan 2005, Bill Jonas wrote:

> On Sat, Jan 08, 2005 at 11:53:30AM -0700, Jay wrote:
>> In George's case that will not work. As I understand his problem, the
>> source external/public address of the HTTP connection needs to be
>> difference for each internal machine.
>
> It absolutly *would* work. That's what NAT means -- network address
> *translation*.
>
> Suppose, as a simple case, you have two LANs which are both using
> 192.168.0.0/16. If you were to connect them, you'd have to renumber one
> of them, right?
>
> Wrong. You can, with a Linux (or OpenBSD or Cisco or something else)
> router, make network A think that network B's addresses are in the
> 10.5.0.0/16 range. Anything sent from A with a destination address in
> 10.5.0.0/16 will be translated by the router as being intended for
> network B and re-written with the appropriate destination address in the
> 192.168.0.0/16 range. At the same time, the source address would also
> be re-written to be in, say, the 10.8.0.0/16 range, and B's router would
> make the appropriate translation when the packets got there, and for
> traffic destined for A.
>
> In this case, it's only half as complex. Only the source needs to be
> re-written for outbound traffic; the destination stays the same.
>
> A simpler explanation can be found at
> <http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-2.html#ss2.1>
> and <http://www.netfilter.org/documentation/HOWTO//NAT-HOWTO-3.html>.
>
> This whole discussion is academic if he's using a 2.2 or earlier kernel;
> 2.0 and 2.2 only had the ability to do masquerading (i. e., one external
> address to many internal addresses) and not full-on NAT (many-to-many).
> You need 2.4 and up to do NAT.
>
>

--
~Jay


---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Local computer OEM store, my favorite place to shopRe: Good distro for underpowered computers?->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)