Re: stf and NAT

Thread: Re: stf and NAT

Search this list only Search all lists
Re: stf and NAT
	2007-07-21 21:40:36
> I am not sure I understand the problem you are trying to solve. It seems > that your host has an ethernet (say) with an RFC1918 address assigned; > your host plugs into a router that translates the host's RFC1918 number > to and from some globally-routable IPv4 address. You want for your host > to use that globally-routable IPv4 address for 6to4. The address in > the encapsulated IPv6 packet has to embed the global IPv4 adddress; the > encapsulation IPv4 header needs to contain the host's RFC1918 address, > which the router will translate. The stf(4) pseudo-interface does not > provide for that. Is that about right? Yes I encountered this problem several times before. I had a direct unfiltered natted address for my host, but I could not use 6to4 because of addresses restrictions. I had a global address seen from the internet world, but not from stf. Of course, I could not change the router configuration or take it's place... > > Can you meet your needs using IP Filter or PF? Or, if a general-purpose > tool will not do, doesn't it make sense to isolate the "DMZ adaptation" > in its own pseudo-interface? That may benefit more NetBSD applications > in a DMZ than a stf(4) modification alone. > Yes it's possible, but it may not work in all routers configuration (because of ingress filtering) and your machine may be unreachable in some cases. To make it working, you can add an alias of the global address on one of your interface, and one bimap rule in your ipnat. I found several peoples which had this problem and I tried to implement a cleaner solution (there are also other patches avalaible for freebsd on some posts). What do you mean by a dmz pseudo interface ? The dmz part is quite small (just two tests to exit) and is really about... tolerance of packet source (in input) or missing global ip (to emit). I added lots of security checks wich are not done actually and ingress filter for v6 packets (these checks represent most of the code). I spent lots of time about security checks. I don't think that a packet filter could do such tests which are specific to the 6to4 traffic. Rodolphe -- There is currently insufficient research to definitively conclude that unix overuse is an addiction.

[1]

about | contact Other archives ( Real Estate discussion Medical topics )