Yes, I made it up. ;-) Thinking of nefariously sneaky ways to be very
transparent, and thought of a way to do this in IPtables, now would like
to try it with my pfSense boxen...
To make some horrendous puns, the intent is to make a firewall so Smooth
and Slick that all data (save what it wants) slides right off of it to
another machine it Pix. Okay. Enough. Here's the idea in a nutshell -
I have one network & three machines - two desktops & a pfSense system.
Desktop A is kosher on the LAN, whereas desktop B is not. There are
constant, active scans on the LAN that will detect desktop B and set off
clanging gongs. User Z understands not putting B on the network, but
still wants to use it for SSH and other items. Enter the firewall - in
iptables, I'd use the MASQUERADE & TTL targets to transparently spoof
being an alternate NIC on desktop A, all the while silently siphoning
off port 22 inbound and forwarding it to desktop B on a private
interface, as well as statefully handling the rest of it's traffic. :-D
____LAN____
/ \
/ \
--- /--- MASQ ---\---
| PFS | ------> | A |
-------- --------
|
| <--- tcp:22
---|----
| B |
--------
I know a picture is worth a thousand words, but ascii-art doesn't seem
to be sticking with me tonight. Anyone understand what I'm trying to do
and whether we have the tools available on pfSense? The reason I'm
using MASQ instead of simple forwarding is that it wouldn't do to have a
query hit the PFS IP and be responded to from the A IP, now would it?
RB
