netbsd-users: ipnat/ipfilter

Subject: ipnat/ipfilter
To: None <netbsd-users@netbsd.org>
From: Schamil Wackenhut <wackenhut@ram.rwth-aachen.de>
List: netbsd-users
Date: 10/16/2002 19:27:32
--pWyiEgJYm5f9v55/
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hello again!

=2E---------.        .--------------------.
|10.0.0.2 |------->|NetBSD 1.6 router   |------>switched LAN---->INTERNET
`---------'        |with ipnat/ipfilter |       ^
                   |and static IP-Adress|       |
                   `--------------------'       |
                     .------------------.       |
                     |Another box on LAN|-------'
                     `------------------'

That's my situation:
10.0.0.2 and NetBSD router are belong to me.
On NetBSD i've such ipnat.conf:
=2E..
rdr rtk0 x.x.x.x/32 port 27960 	-> 10.0.0.2 port 27960 tcp/udp
=2E..

and ipf.conf:
=2E..
block in		   on rtk0
block in log quick 		   from any to any with ipopts
block in log quick proto tcp from any to any with short
block in	 quick on rtk0 from 192.168.0.0/16 	to any
block in	 quick on rtk0 from 172.16.0.0/12 	to any
block in 	 quick on rtk0 from 10.0.0.0/8 		to any
block in	 quick on rtk0 from 127.0.0.0/8 	to any
block in	 quick on rtk0 from 0.0.0.0/8		to any
block in 	 quick on rtk0 from 169.254.0.0/16	to any
block in	 quick on rtk0 from 204.152.64.0/23 to any
block in	 quick on rtk0 from 224.0.0.0/3		to any
block in log quick on rtk0 from 10.0.0.0/24		to any
block in log quick on rtk0 from any to 10.0.0.0/32
block in log quick on rtk0 from any to 10.0.0.255/32
block in log quick on rtk0 from any to !x.x.x.x/32
=2E..
where x.x.x.x is the static IP-Adress of my router.

I need last rule from above (block in log quick on rtk0 from any to\
!x.x.x.x/32) to awoid such things like:
log in on `Another box on LAN',
# route add default gw x.x.x.x

(that means the people can route their traffic over my router, i think
you know what i mean :))

But if i have such rule in my ipf.conf, it's impossible for ipnat to
redirect the querys on port 27960 to 10.0.0.2:27960.

Now my question:
How can i realise both things* with ipnat+ipfilter?
*) - awoid the routing over my router from boxes on LAN
   - redirect the querys to 10.0.0.2

thanks
=2Esw
--=20
The problem with troubleshooting is that trouble shoots back.

--pWyiEgJYm5f9v55/
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9raGEm6+0zq47cwERAl9WAJ9HBi/snNivEUfY/LLzDixUSNq88ACgin+I
WIFpF/FLSugSLI13pXlmeJc=
=hpD9
-----END PGP SIGNATURE-----

--pWyiEgJYm5f9v55/--