From: Julian Anastasov <ja@ssi.bg>
To: lartc@vger.kernel.org
Subject: [LARTC] Re[2]: local address routeable?
Date: Thu, 17 Jul 2003 20:53:02 +0000 [thread overview]
Message-ID: <marc-lartc-105847565424333@msgid-missing> (raw)
In-Reply-To: <marc-lartc-105844451815207@msgid-missing>
Hello,
On Thu, 17 Jul 2003, Christian Stuellenberg wrote:
> If traffic from zone MASQ is addressed to one of the external internet
> addresses of one of the zone GOOD or DMZ, then it will currently get
> routed directly at HOST. It is intended, that this direct routing is
> not done, but instead ALL traffic from zone MASQ becomes masqueraded
> out over the dynamic PPP connection to the internet, comes back over
> the CISCO line to HOST, then gets routed to the extern destination IP
> (in zone GOOD or DMZ) and when the reply from there comes back again
> to HOST, it should get routed over the CISCO internet connection and
> then back over the dynamic PPP connection, demasqueraded, and at last
> delivered to the original source in zone MASQ.
>
> This works up to the point, where the reply comes back to HOST. Now
> I'm not able to tell HOST, that this reply should again routed out
> to the internet over the CISCO line and only demasqueraded if it comes
> in over the PPP connection (btw. the demasquerading does also not
> occur if the reply gets not routed; I assume, this is because the
> masquerding tables are waiting for a packet that comes in over the PPP
> connection and not on IF0 or IF1).
I think, I understand the setup. I'm still wondering what
is the end goal. I can only speculate:
Assumption 1. Hosts from GOOD want to see client from DynIP, not from
a.b.c.62. The solution: use SNAT with saddr=DynIP when talking to
GOOD because the default masquerade action is to use a.b.c.62
which is recommended from the routing. I assume GOOD and DMZ
do not care how the packet with saddr=DynIP appeared as long as
it looks as expected?
2. For some reason (even by introducing security problems) you
want packets with saddr=DynIP to walk the external path and
to reach GOOD. Is it needed? Is there a problem with the above
solution in #1?
> Regards,
> Christian
Regards
--
Julian Anastasov <ja@ssi.bg>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
prev parent reply other threads:[~2003-07-17 20:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-07-17 12:20 [LARTC] Re[2]: local address routeable? Christian Stuellenberg
2003-07-17 20:53 ` Julian Anastasov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-105847565424333@msgid-missing \
--to=ja@ssi.bg \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.