Re: Transparent Firewall with NAT

Wed, 10 Oct 2007 09:18:53 -0700 

2007/10/10, stuart van Zee <[EMAIL PROTECTED]>:
>
> > From:
> >
> > Hello everybody,
> >
> > I work on BSD 4.1, with i386 hardware.
> >
> > I'm searching a way to enable a transparent firewall (without ip
> adress),
> > probably in bridge mode.., with a capability of NAT. I know the
> > interest is
> > not evident to nat some computers on the same IP lan, but it's
> > for a client,
> > so....!
> >
> > It seems that PF doesn't have this capability. Perhaps, it could
> > be possible
> > with an another package ?
> >
> > Thank's for your comments...
> >
> > Cidric.
>
> I am not sure you understand what NAT is.  When you use NAT to allow a
> system on one network to access another network, the traffic is NATted
> to the IP of the box doing the NAT.  In the case of a firewall like
> device, the traffic would be given the IP address of the outer interface
> of the firewall.
>
> inside box (1)----> firewall/bridge doing nat (2)-----> Internet etc.
>
> (1) network traffic leaves the inside box, it has the source IP of the
> inside box.
>
> (2) The network traffic is NATted by the firewall, when it leaves the
> outer interface of the firewall it now has the source IP address of the
> outer interface of the firewall.
>
> Any return traffic would simply take the same steps in reverse.
>
> If the firewall/bridge does not have any IP addresses, there is no way
> that NAT can occur, It has no IP address to change the source IP to.
>
> If I have this wrong somehow, please let me know.
>
> s
>
> Thank's for your comment. Unfortunately, i well understand the Nat
process.

I's right it's not seems to be interesting to nat some machine in the same
IP lan, but that is what i want.

The problem, you said it very well, it's the firewall can't assign it's own
IP adress because is in bridge mode.

So, the idea is to set a particular IP on all trafic outgoing from the
firewall.
The rule could be this one :

nat pass on bridge0 inet tagged LAN1 -> 192.168.2.3  (it's an example of an
ip pick in the LAN...)
pass in inet proto {tcp,udp, icmp} on $lan1_if <http://10.0.0.0/24> tag LAN1

I don't know if this syntax is ok, because i never tested it.

Someone knows ?

Reply via email to