[1282] in linux-net channel archive
Re: IP Masquerading (was: LAN--inet & dynamic IP addressing)
daemon@ATHENA.MIT.EDU (Aleph One)
Sat Oct 28 23:05:42 1995
Date: Sat, 28 Oct 1995 13:53:28 -0500 (CDT)
From: Aleph One <aleph1@dfw.net>
To: Lincoln Myers <lim@csua.berkeley.edu>
Cc: linux-net@vger.rutgers.edu
In-Reply-To: <199510262351.QAA27640@soda.CSUA.Berkeley.EDU>
It seems fine just some points. TCP application wont be hurt much by lack of
ICMP. TCP ignores ICMP after the 3-way handshake. While connecting (after
sending a syn, or receiving a syn) it does generate an error. Missing the
one after sending a syn is no problem because we will get a TCP RST
packet and that will generate an error. The is a window for error if we
receive a SYN, the other hosts dies some way, then we will never see
ICMPs, or RST packets, and the socket will hang. UDP applications
would be hurt by lack of ICMP. But then again a lot of them ignore ICMP
errors (crappy tftp implementation come to mind) and simply timeout
(hopefully with an exponential backoff).
Also you might want to suggest for people to use addresses in the range of
10.x.x.x as that is a reserved address for nonconnected networks. The are
more butI dont recall now. Oh yeah 192.168.x.x is another. You might want
to dig for the appropiate RFC.
About SSL I belive the IP address is on the versign certificate. If this
is used for authentication I would guess depends on the implementation.
But I do know that client side authentication is optional and netscape
does not use it so that you can run netscape on a host being masquareding
but probably not a server.
Oh yeah and take anything I say with a grain of salt as Iam no expert 8)
Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
On Thu, 26 Oct 1995, Lincoln Myers wrote:
> Date: Thu, 26 Oct 1995 16:51:43 -0700
> From: Lincoln Myers <lim@csua.berkeley.edu>
> To: linux-net@vger.rutgers.edu
> Subject: IP Masquerading (was: LAN--inet & dynamic IP addressing)
>
> Bernd S. Bentrup (bsb@uni-muenster.de) mentions the following magic words:
>
> > small LAN at home ... connected ... dialup PPP ... don't have
> > registered IP address ... Socks package requires recompiling
> > and doesn't support UDP ...
>
> This looks like a job for IP Masquerading!
>
> I've written a short man page on masquerading, available from
>
> ftp://ftp.csua.berkeley.edu/pub/lim/masquerading.4
>
> Please oh please oh please, anyone who knows about masquerading and
> firewalling read it and tell me if anything is wrong...
>
> Note that masquerading requires a 1.3.x kernel and ipfw, the latter of
> which comes with very recent (beta) net-tools. Last I was told,
> net-tools could be found at
>
> ftp://ftp.inka.de/pub/Linux/networking/net-tools/
>
> ipfwadm, a better ipfw, might have support for masquerading in the
> future (I'm just about to submit changes):
>
> ftp://ftp.xos.de/pub/linux/ipfwadm/
>
> Lincoln
>
