bts at iae.nl
Mon Sep 15 05:38:33 PDT 2003
What I do seriously mis in FreeBSD, is the possibilty to have NATD active
on more then 1 network address/card and do packet routing based
on packet information.
For example: All external network interfaces X and Y serving their own requests,
routing all trafic from the firewall's system to interface X and all
other trafic (ie from the internal network) to interface Y.
The Activition mechanism (the rules) of IPFW and NATD seem to
be integrated with the actual firewall. Understandable, because once
matching has been done, the FW rule can be applied easily. Activation
of NATD handling is done with the divert as a result of the matching mechanism.
Running 2 NATD's is possible, but ends up with the wrong "source"
address in the packets supposed to go to one of the cards.
IE one NATD works fine, the other creates packets with the wrong source
address going to the wrong outgoing network card (and as such have
conflicts with the firewall rules, apart from going to the wrong card and
as such abusing the ISP).
I would like to see an option "REROUTE", where I do have the opportunity
to change source address and destination network card.
Subsequent wish would be to have some sort of an option to manipulate
the REROUTE effect based on load and/or line availability. But that's
much less important (for the moment).
What I'm not looking for:
- The option to keep a TCP connection up once it has been established.
If an external link fails, the connection may be dropped. No problem.
- A real dual link, where packets for 1 TCP connection are send out
over two external links. Much harder to implement and keep ISP's happy
about strange IP addresses coming out of their network.
Why am I interrested in this REROUTE option ?
Many (smaller) companies and/or individuals do have NATD
running for both protection and serving the internal network. More and
more, this user group is having MULTIPLE external (low cost ADSL
and/or cable) connections for performance and fallback strategies.
Until now, FreeBSD is not capable to handle this properly. :-((
I have been looking at the FreeBSD source code and noticed it "could"
be done by the firewall code. But that would be (programmers wise) an
ugly way to do this, because it would require changing data global
to the firewall selection/handling routines context.
More information about the freebsd-ipfw