IP NAT and IP Masquerading

IP NAT and IP Masquerading

Post by Martin Foste » Mon, 02 Aug 1999 04:00:00



Having used Linux on an old 486 for a while now.  It employs IP
Masquerading in order to share the Internet with the Internal domain
which uses the 192.168.1.x addresses.  I also use certain modules that
are built with the kernel that allows ICQ, RealPlayer, FTP and other
such modules.  This is to allow to allow these programs to function
without the need of burning individual holes though the firewall..  

I do know about IP NAT, I am simply wondering if getting this exact same
functionality will be just as easy to get going?  Or is it more
difficult?   Are their modules that achieve this?  Or rules that one
adds to do the same?

Other then that, I have been quite impressed with OpenBSD.   I highly
appreciate it that it is locked down the way it is "out of the box."  I
also found the method of configuring a network component ridiculously
easy compared to the torment that RedHat (I ripped them out and made my
own), SuSe or Debian Linux put you through.   Any OS that attempts to
force you to use a GUI configuration tool should rethink their
strategies.

                                        Martin Foster

 
 
 

IP NAT and IP Masquerading

Post by d.. » Mon, 02 Aug 1999 04:00:00


MF: I do know about IP NAT, I am simply wondering if getting this exact same
MF: functionality will be just as easy to get going?  Or is it more
MF: difficult?   Are their modules that achieve this?  Or rules that one
MF: adds to do the same?

After having used Linux, I'd become comfortable with it. Although our setup
is much different now, we had (at work) a Linux computer that was used
primarily as a mail processor for a small lan, (about 25 users) and it was
connected with an ordinary phone modem. The Linux computer was cracked one
day, and I decided to use OpenBSD instead, since I had to install an OS from
scratch.

I installed the OS, and then began trying to figure out IP nat. (this is
with OpenBSD 2.3) To my surprise, there was nothing to figure out...
Un-comment a line in /etc/sysctl.conf, and it worked. Now, the rules are
easy to figure out, but it even gets better if you use ppp...

When OpenBSD 2.4 arrived, the ppp (not pppd) program was now equal to its
FreeBSD twin, and allowed the use of the -alias switch on the command line.
This means that you don't have to do a single thing about IP nat, just leave
it alone and don't think about configuring it, ppp does all the dirty work.
The fitering rules established in the ppp configuration file are easy and
straightforward.

So, if you're thinking of using a normal phone line and ppp, I'd say that
it's about ten times simpler to set up than IP masq'ing is. If you're using
another connection, and must setup IP nat, I'd say it's only about 9 times
easier.

Seriously, once you've configured it, you'll sit back and think, "I know
that there must be more to it than this." After getting it working, I've
wondered why the Linux way of IP masq'ing seems to make a mountain out of a
molehill, it just seems they make it more difficult than it needs to be.

--

------------------------

Tacoma, Wa., USA
------------------------

 
 
 

IP NAT and IP Masquerading

Post by pixel fair » Wed, 04 Aug 1999 04:00:00




> MF: I do know about IP NAT, I am simply wondering if getting this exact same
> MF: functionality will be just as easy to get going?  Or is it more
> MF: difficult?   Are their modules that achieve this?  Or rules that one
> MF: adds to do the same?

> Seriously, once you've configured it, you'll sit back and think, "I know
> that there must be more to it than this." After getting it working, I've
> wondered why the Linux way of IP masq'ing seems to make a mountain out of a
> molehill, it just seems they make it more difficult than it needs to be.

i agree with the *about linux distros making network configuration
much
more difficult than need be, i only use a few lines in rc.whatever and
to hell with linux-conf etc for such tasks. slackware has only an easily
replaceable rc file (rc.inet1) so its not crappy the same way. and as
mentioned earlier, you can always ditch thier network stuff for you own
(though it may be a little trickier with suse)

openbsd is definatly easier than linux in sharing a gate to the world,
but
i doubt its as flexible. you should test all applications you wish to
use.
for example, ftp dont always work (not all windows ftp clients know what
passive mode is, and even then it dont always work). linux is only a
another few minutes of work anyway. i hear freebsd has a little more
flexibilty than open or net with this kinda stuff (libalias or some
such)

 
 
 

IP NAT and IP Masquerading

Post by Martin Foste » Thu, 05 Aug 1999 04:00:00



> openbsd is definatly easier than linux in sharing a gate to the world,
> but
> i doubt its as flexible. you should test all applications you wish to
> use.
> for example, ftp dont always work (not all windows ftp clients know what
> passive mode is, and even then it dont always work). linux is only a
> another few minutes of work anyway. i hear freebsd has a little more
> flexibilty than open or net with this kinda stuff (libalias or some
> such)

Linux with the ftp module loaded into the Kernel, will allow any FTP
client regardless of their support of passive mode to connect to a
server.   As long as it's on port 21 however, which has always seemed
odd to me.  

Has anyone tried using programs such as Real-Player, IRC, Quake or other
such utilities behind an OpenBSD Firewall?  Do you need to take extra
precautions in order for these to function well?  I know that many of
these have firewall options to configure, yet Linux will usually work
without a hitch.

                                        Martin Foster

 
 
 

IP NAT and IP Masquerading

Post by Dana Boot » Thu, 05 Aug 1999 04:00:00


MF: Has anyone tried using programs such as Real-Player, IRC, Quake or other
MF: such utilities behind an OpenBSD Firewall?

At work, the only thing that happens on Windows computers besides web
browsers and email behind an OpenBSD firewall is real-player, which works
fine. Here at home, my desktop OS is Suse Linux, and I use IRC and
Real-Player okay, and the kids use ICQ on their windows computer. They also
have a chat/bullshit client called "PowWow", which they use to voice chat
and exchange files, this is behind OpenBSD here at home using dial on
demand & ppp.

--

------------------------

Tacoma, Wa., USA
------------------------