puzzling ipnat behavior
dacoder
dc at dcoder.net
Tue Mar 10 15:52:49 PDT 2009
i've asked this question before, but i must have been unclear. i hope this
is better:
i'm puzzled by how ipnat works, particularly by the fact that when the ip's
on an inside nic are mapped to the ip on my outside nic, i have to configure
ipfilter to allow any ip that might hit the outside nic access to the ip's on
the inside nic. so, where wpi0 is the outside nic & the 1st /24 in 10.0.0.0
contains the ip of the inside nic & everything behind it:
ipnat.rules: allow wpi0 10.0.0.0/24 -> <ip on outside nic>/32
ipf.rules: pass in quick from any to 10.0.0.0/24
i should have thought that since everything coming from outside to
10.0.0.0/24 is addressed to the <ip on outside nic> this would be
sufficient:
pass in quick from <ip on outside nic> to 10.0.0.0/24
but it isn't.
what's wrong w/ my thinking? & why isn't this rule a security hazard?
david coder
network engineer emeritus
ntt/verio
More information about the freebsd-questions
mailing list