port-i386: NAT Alternatives to IPF!

Subject: NAT Alternatives to IPF!
To: NetBSD i386 Mailing List <port-i386@netbsd.org>
From: Alicia da Conceicao <alicia@internetpaper.com>
List: port-i386
Date: 10/26/1998 11:21:35
This is a multi-part message in MIME format.
--------------CDF7FACCD59A3116FCAA2E82
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Rasmus Wiman wrote:
> Actually, this confuses me a lot! I thought that the purpose of ifp was to do
> the gatewaying instead of the kernal, thus providing the filtering/translation
> required for firewalling/NAT. Who knows, my network might be wide open to
> attackers!

Greetings:

There has to be a decent (FAST & SECURE) alternative to IPF (ipfilter) that
can do fast one way NAT (network address translation) from non-routable IP
space (10.x.x.x) to a single real IP number (from PPP or ethernet).  I've
been poking around the "/usr/src/sys/netinet/ip_input.c" file and it looks
like it is the key, but unfortunately I am not yet sufficiently familiar
with kernel level packet tinkering and packet checksums to build a NAT.

     Has anyone built such a NAT, in compiled C, for the NetBSD kernel?
IPF is *WAY* too slow for my needs.  And by only allowing one way NAT
translation, so that packets can only be translated from the outside back
to non-routable IPs, if they only correspond to sockets that are still
opened and were first initiated from the inside to the outside.  That
should hopefully address the security concerns.

     I would appreciate hearing about any possible NAT alternatives for
NetBSD, and if they don't exist, maybe the possibility of building one,
similar to what I described.  It sounds like there are a lot of other
NetBSD users who are unhappy with IPF.

Thank you in advance.  Sincerely, Alicia.
--------------CDF7FACCD59A3116FCAA2E82
Content-Type: text/x-vcard; charset=us-ascii; name="vcard.vcf"
Content-Transfer-Encoding: 7bit
Content-Description: Card for Alicia da Conceicao
Content-Disposition: attachment; filename="vcard.vcf"

begin:          vcard
fn:             Alicia da Conceicao
n:              da Conceicao;Alicia
org:            Internet Paper Inc.
adr:            121 Richmond Street West, Suite 1104;;;Toronto;Ontario;M5H-2G4;Canada
email;internet: alicia@internetpaper.com
title:          Senior Writer
tel;work:       416-860-9378
tel;fax:        416-860-9380
x-mozilla-cpt:  ;2
x-mozilla-html: TRUE
version:        2.1
end:            vcard


--------------CDF7FACCD59A3116FCAA2E82--