Subject: Re: Bridge support added to NetBSD-current
To: James Sharp <jsharp@psychoses.org>
From: gabriel rosenkoetter <gr@eclipsed.net>
List: current-users
Date: 08/23/2001 13:29:28
On Thu, Aug 23, 2001 at 01:08:53PM -0400, James Sharp wrote:
> Yes. Kerberos doesn't play well with NAT. There's ways around it, but
> they're ugly and kludgy.
Keeping your Kerberos zone entirely in the internal network is a
kludge? (That might, obviously, be completely impossible. Keeping
your Kerberos zone entirely in a vlan might be possible. But IPSec
and IPF also don't necessarily play well together without some
coaxing, so you could still be screwed.)
> There's also the fact that these machines are
> production web/mail/DNS/file/cvs servers that bring in quite a chunk of
> change every month and I don't feel like trying to set up some really
> hairy NAT forwarding rules to put them behind NAT.
You already have static IPs for the servers in question, clearly, so
just do:
bimap rtk0 10.0.0.10/32 -> a.b.c.d/32
NAT config is totally easy. It's the ipfilter config that might get
hairy. But you're already doing that, I presume.
--
~ g r @ eclipsed.net