NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kern/52074: -current npf map directive broken



    Date:        Thu, 11 May 2017 10:47:28 +0100
    From:        Roy Marples <roy%marples.name@localhost>
    Message-ID:  <c2d2d033-a421-df5f-a0cd-4046b7d00808%marples.name@localhost>

  | I agree with Robert, we shouldn't be sending packets on the wire from an
  | address we don't own.
  | But you're not sending on the wire are you?

Actually, he is, he wants to masquerade as some other (remote) host
(proxy for them) and return packets as if the client host was communicating
with that one, when it is really communicating with his NAT box.

That is, he wants to pretend he is forwarding a packet from the remote
host back to the client, when the packet has actually been originated
locally.

This has no chance of working if any protocol that verifies identity
is in use (even SMTP has that available now, I think), but otherwise
could work.

Personally I wouldn't be trying to fake it at that level though, I'd
be returning MX records to the client listing the NAT box as the
preferred (only, probably) mail relay for the host in question
(or for anyone that the client wants to talk to, if that is the
objective.)   Of course, that only works for SMTP.

kre




Home | Main Index | Thread Index | Old Index