--7ArrI7P/b+va1vZ8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Apr 26, 2005 at 01:11:06AM -0400, Steven M. Bellovin wrote:
> That's almost, but not quite, what is needed here.  If you specify=20
> -ifa, the packet is sent out on that interface.  We want to send on=20
> interface A while using some address from interface B.=20

I have used ipfilter's NAT for exactly this purpose for a long time,
so that outgoing connections originate from (multiple,
service-specific) addresses on my (routed, PTR-delegated-to-me)
subnet, not on my (routed, but PTR-belongs-to-ISP-and-can't-be-changed)=20
link segment address.

I get to write a highly purpose-specific fine-tuned policy (if i want
to), no long discussion thread required.  Another use for NAT, even
where private addresses aren't involved, to poke snarky fun at another
long-running thread.

FWIW, I liked dyoung's address selection policy #2: largest address
mask in common with destination is used as source by default (to be
overridden by -ifa routes or other things, as discussed herein).

--
Dan.

--7ArrI7P/b+va1vZ8
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (NetBSD)

iD8DBQFCbe/uEAVxvV4N66cRAmq7AJ4lyOC3vuw6SA9JCIGwn6YZ4b+APQCfVeVh
KrOUYZ0PX3f3zXcvaUnXY/U=
=EIhq
-----END PGP SIGNATURE-----

--7ArrI7P/b+va1vZ8--