[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Masquerading



Hi,

RTFM about masquerading:
man ipfwadm
....
       -m     Masquerade  packets  accepted for forwarding.  When
              this option is set, packets accepted by  this  rule
              will  be masqueraded as if they originated from the
              local host.  Furthermore, reverse packets  will  be
              recognized  as  such and they will be demasqueraded
              automatically, bypassing the  forwarding  firewall.
              This  option  is  only valid in forwarding firewall
              rules with policy accept (or when specifying accept
              as  default  policy)  and can only be used when the
              kernel  is   compiled   with   CONFIG_IP_MASQUERADE
              defined.
....
man ipfw
....
       This paragraph describes the way a packet goes through the      
       firewall  and  accounting rules.  Packets received via one
       of the local network interface  will  pass  the  following
       sets of rules:
              accounting (incoming device)
              input firewall (incoming device)
       Here,  the  device  (network  interface) that is used when
       trying to match a rule with an IP packet is listed between
       brackets.   After  this  step, a packet will optionally be
       redirected to a local socket.  When a  packet  has  to  be
       forwarded to a remote host, it will also pass the next set
       of rules:
              forwarding firewall (outgoing device)
       After this step, a packet will optionally be  masqueraded.
       Responses  to masqueraded packets will never pass the for­
       warding firewall (but they will pass both  the  input  and
       output  firewalls).  All packets sent via one of the local
       network interfaces, either locally generated or being for­
       warded, will pass the following sets of rules:
              output firewall (outgoing device)
              accounting (outgoing device)
       Note  that  masqueraded packets will pass the output fire­
       wall and accounting rules  with  the  new  packet  headers
       (after  passing the input and forwarding firewall with the
       original headers).  Also, responses to masqueraded packets
       will  have  different  headers  when passing the input and
       output firewall rules.
....

Now, i want to setup masquerading with this topology:

Provider (ISP-IP) <---> FW/MASQU (FW-IP) <---> INTERNAL (OWN-IP)

Consider sending mail from OWN-IP to ISP-IP with masquerading:
The firewall will use IP-Headers:
  incoming: OWN-IP
  forward : OWN-IP
  outgoing: FW-IP  (masqueraded, uses temp. port)
and responses will use:
  incoming: FW-IP  (temp. port)
  outgoing: OWN-IP
without forwarding.

This leads to the following:

- in order to masquerade the packets, they must be accepted for forwarding
  with original IP-Header.
- outgoing IP-Headers are using FW-IP on temporary port

=>in order to use masquerading, i have to allow the
  temporary used "masquade-ports" on the firewall in incoming direction!

What about e.g. incoming mail ?

The ISP only knows the (masqueraded) FW-IP as a reachable host. So the get
incoming mail working, IP-Redirection has to be used, to connect the
incoming SMTP-connection to the mailhost.

Result:
1) I don´t want to allow any connection with destination adress
   of my firewall
2) IP-Redirection is in alpha/beta yet (?), so i don´t want to
   use this too,
3) In order to use masquerading, i have to use a dedicated masquerading
   host, e.g. with the following topology:

Provider (ISP-IP) <---> FW (FW-IP) <---> MASQU (MQ-IP) <---> INTERNAL (OWN-IP)

Any suggestions for this scenario ?
Is my interpretation correct ?
How do you setup masquerading ?

--
MfG
    Jens Hellmerichs-Friedrich

http://www.fen.baynet.de/jens.hellmerichs-friedrich


Reply to: