Re: [opensuse] Re: [Fwbuilder-discussion] Dual-homed NAT question

James Knott wrote:

Whit Blauvelt wrote:
I'm not an expert here but so far as I'm aware there's nothing in
the IP
packet which has information about which interface it arrived on..
Without that information it can not be routed predictably for
the return journey.
Think you're right. When it's being handled on just the firewall
system, I believe it's the kernel's rp_filter that's enabling it to
work. But that's lost when it goes on by DNAT. Thus the desire to use
a port. There's_got_ to be a way to implement the logic "if it comes
from 192.168.1.xyz on port 24, route it out through interface X on
port 22" - except iptable's limitation on outward port translation
blocks the easy and obvious way.

If I put a daemon on the firewall box, with my current setup it just
works. Putting it on a separate system behind it though, I haven't
found an appropriate way yet to have the firewall recognize which
outgoing interface to use, to have it match the incoming.

As has been mentioned before, there is no way for the firewall/NAT to
determine which port is to be used.

fwmark?

The packets behind the firewall will have a destination address and
the routing tables will determine which interface will be used.
Unless there is a specific route for a given address, the default
route will always be used.

It can be changed with ip rule and fwmark.



--
Per Jessen, Zürich (14.8°C)

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

Relevant Pages

  • Re: Additional Hardware Module with Xilinx MicroBlaze Processor
    ... a pcore for your LCD module. ... You can write to the fsl interface with the function putfslx, ... What I would like to do is define a GPIO port on the processor to ... and write to the FSL bus suffice? ...
    (comp.arch.fpga)
  • ng_one2many v.s. AFT (NIC Fault Tolerance/Fail Over/Redundancy Revisited)
    ... Then I was thinking about the OpenBSD/NetBSD bridgeinterface. ... Spanning Tree as an alogirth could provide Intel AFT ... illustrates, regardless of which interface is the root port, ARP replys ... Topology change flag not set, detected flag not set, changes 54 ...
    (freebsd-questions)
  • Re: ng_one2many v.s. AFT (NIC Fault Tolerance/Fail Over/Redundancy Revisited)
    ... Then I was thinking about the OpenBSD/NetBSD bridgeinterface. ... Spanning Tree as an alogirth could provide Intel AFT ... illustrates, regardless of which interface is the root port, ARP replys ... Topology change flag not set, detected flag not set, changes 54 ...
    (freebsd-questions)
  • Re: Router Config Problem
    ... the interface comes up but the line protocol does not. ... Any ideas on how I can get the 2514 to route those two subnets? ... Sounds like a bad hardware port then.. ... Yeah, but what I'm saying is that you are stuck at Layer-1 problems, ...
    (comp.dcom.sys.cisco)
  • Re: Router Config Problem
    ... the port comes up and the line ... the interface comes up but the line protocol does not. ... Any ideas on how I can get the 2514 to route those two subnets? ... connecting FastEthernet to Ethernet. ...
    (comp.dcom.sys.cisco)