[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: problems with ipnating incoming packets...
From:       Darren Reed <darrenr () reed ! wattle ! id ! au>
Date:       2007-05-20 19:46:00
Message-ID: 4650A578.7080406 () reed ! wattle ! id ! au
[Download RAW message or body]

Carson Gaspar wrote:
> Darren Reed wrote:
>> Eric,
>>
>> You've got a LAN split across two different sides of a host.
>> When a host on either side is going to try and talk directly to
>> a host on the other side, it is going to ARP for that address.
>> ARP packets aren't routed.  You need a proxy ARP daemon
>> to do that for you.
>>
>> If you don't want to do that then you can't do what you want
>> to do, period.
>
> Sorry Darren, that's not what he wants, and you're wrong (unless _I'm_
> the one on crack today...). He's talking about what some vendors call
> "illegal NAT", where the two different subnets that happen to have the
> same address appear in two places. In reality, this happens a _lot_
> with corporate acquisitions.
>
> Looking at the docs, it appears that ipfilter does not support NAT on
> the source address of incoming packets (destination address of
> outgoing packets), so it can't handle this. If I'm wrong Darren,
> please correct me.

At the moment that's only possible with 5.0.2 using "rewrite" rules with
ipnat where
you can specify both a new source and destination address/post.

There's still more code I want to write before 5.1 :)

Darren

[prev in list] [next in list] [prev in thread] [next in thread]