Re: Transparent Firewall with NAT

2007-10-15 Thread Cédric THIBAULT 
Firstly, thanks for your comments,

2007/10/12, ropers <[EMAIL PROTECTED]>:
>
> I don't fully understand your email, because some of your sentences
> aren't really gramatically correct, and some of them don't seem to me
> to be "technologically correct" (ie. the technology questions in them
> don't seem to make sense to me). From reading this thread, I suspect
> others are having similar problems.


Yes, it's true i'm not a native english. Sorry for my sentences which smell
good french pronunciation... I will do my best for avoid this mistakes..


Let me look at what you wrote:
>
> On 10/10/2007, Cidric THIBAULT <[EMAIL PROTECTED]> wrote:
> > Hello everybody,
> >
> > I work on BSD 4.1, with i386 hardware.
> >
> > I'm searching a way to enable a transparent firewall (without ip
> adress),
> > probably in bridge mode.., with a capability of NAT.
>
> Let me stop you there. Normally, you would EITHER use your OpenBSD box
> to do NAT, OR you would set your OpenBSD box up as a bridge. Let's
> take a step back and instead of talking about things in the abstract,
> let's make plain what you're trying to do:
>
> - Do you have a network w/ multiple hosts on the same physical network
> segment?
> - Do these hosts have private or public IP addresses?
> - Are these hosts' IP addresses in the same (logical) subnet? I.e. are
> they using the same network address and subnet mask, e.g.
> xxx.yyy.zzz.0/24?
> - You've mentioned bridging. Which hosts do you want to separate with
> a bridge? Are these hosts on the same logical subnet (and possibly
> already on the same physical network segment)? If they aren't, then
> how is what you're trying to do bridging?
> - You've mentioned NATing. Normally this involves translating between
> two DIFFERENT logical networks. What do you mean by "enable a
> transparent firewall (...) in bridge mode.., with a capability of
> NAT"? Do you want to set up a bridge NOW and only possibly separate
> your network LATER, and then change your OpenBSD bridge to an OpenBSD
> NAT router?



I ve got 2 physical network which are on the same IP subnet with the same
netmask. The openBSD is in middle of this networks. For exemple :

LAN1- OPEN BSD ---  LAN 2
192.168.0.1-10 INET1 - INET2  192.168.0.15-20
255.255.255.0
255.255.255.0


> I know the interest is
> > not evident to nat some computers on the same IP lan, but it's for a
> client,
> > so!
>
> Hm. Forgive my skepticism, but has the client asked you to put in a
> bridge that does NAT? Do you understand what they want? Do they?


I don't know precisely why he wants that, but for information i know cisco
offers this possibilitie.

> It seems that PF doesn't have this capability. Perhaps, it could be
> possible
> > with an another package ?
>
> OpenBSD/PF can do NAT while filtering the NATted traffic.
> OpenBSD/PF can also be used to set up a transparent bridge that is
> invisible to users, yet filters traffic. This can be done "out of the
> box"; no extra packages are required. I have personally in the past
> set up such an OpenBSD bridge. In my case, this was a physical network
> segment with multiple hosts, only some of which were under my control.
> The foreign and my own hosts were also on the same (logical) subnet. I
> needed to protect one of the hosts from the others (especially the
> ones I  didn't control). That sensitive host was a Windows Server 2003
> box ((which by default comes w/o a firewall and the Windows Firewall,
> while available in a service pack, cannot be enabled on Domain
> Controllers without serious hacking; really; it boggles the mind)). So
> I connected stuff thus:
>
> W2K3 Srv <---> OpenBSD bridge <---> rest of network, incl. Internet
> gateway
>
> I set up the bridge and configured pf.conf so that those boxes that
> needed to talk to the server could do so. It was NOT a totally
> bulletproof solution, but it was the best I could come up with, given
> the constraints I was operating within.


Your description is very interesting and i'm agree with your opinion. But my
question is :

Can i NAT an IP adress wich is not assign to my network interface, and
configure arp for
be able to receive an IP data destined to the IP i NAT ? If i keep my
precedent exemple :


LAN1- OPEN BSD ---  LAN 2
192.168.0.1-10 INET1 - INET2  192.168.0.15-20
255.255.255.0
255.255.255.0

With INET1 and INET2 in promiscious mode without IP adress assigned, i would
know if i could NAT the LAN1 with an arbitrary adress (192.168.0.11 for
exemple) and capture the answers to forward them to LAN1 (with a specific
ARP configuration perhaps..). With this configuration, LAN2 uses only 1
address to communicate with LAN1, but can't ping or touch the Firewall which
is totally transparent..

Maybe you could describe your network like I did above. I think that
> would help me and possibly others to understand you better. Please b

Re: Transparent Firewall with NAT

2007-10-10 Thread Cédric THIBAULT 
2007/10/10, stuart van Zee <[EMAIL PROTECTED]>:
>
> > From:
> >
> > Hello everybody,
> >
> > I work on BSD 4.1, with i386 hardware.
> >
> > I'm searching a way to enable a transparent firewall (without ip
> adress),
> > probably in bridge mode.., with a capability of NAT. I know the
> > interest is
> > not evident to nat some computers on the same IP lan, but it's
> > for a client,
> > so!
> >
> > It seems that PF doesn't have this capability. Perhaps, it could
> > be possible
> > with an another package ?
> >
> > Thank's for your comments...
> >
> > Cidric.
>
> I am not sure you understand what NAT is.  When you use NAT to allow a
> system on one network to access another network, the traffic is NATted
> to the IP of the box doing the NAT.  In the case of a firewall like
> device, the traffic would be given the IP address of the outer interface
> of the firewall.
>
> inside box (1)> firewall/bridge doing nat (2)-> Internet etc.
>
> (1) network traffic leaves the inside box, it has the source IP of the
> inside box.
>
> (2) The network traffic is NATted by the firewall, when it leaves the
> outer interface of the firewall it now has the source IP address of the
> outer interface of the firewall.
>
> Any return traffic would simply take the same steps in reverse.
>
> If the firewall/bridge does not have any IP addresses, there is no way
> that NAT can occur, It has no IP address to change the source IP to.
>
> If I have this wrong somehow, please let me know.
>
> s
>
> Thank's for your comment. Unfortunately, i well understand the Nat
process.

I's right it's not seems to be interesting to nat some machine in the same
IP lan, but that is what i want.

The problem, you said it very well, it's the firewall can't assign it's own
IP adress because is in bridge mode.

So, the idea is to set a particular IP on all trafic outgoing from the
firewall.
The rule could be this one :

nat pass on bridge0 inet tagged LAN1 -> 192.168.2.3  (it's an example of an
ip pick in the LAN...)
pass in inet proto {tcp,udp, icmp} on $lan1_if  tag LAN1

I don't know if this syntax is ok, because i never tested it.

Someone knows ?

Transparent Firewall with NAT

2007-10-10 Thread Cédric THIBAULT 
Hello everybody,

I work on BSD 4.1, with i386 hardware.

I'm searching a way to enable a transparent firewall (without ip adress),
probably in bridge mode.., with a capability of NAT. I know the interest is
not evident to nat some computers on the same IP lan, but it's for a client,
so!

It seems that PF doesn't have this capability. Perhaps, it could be possible
with an another package ?

Thank's for your comments...

Cidric.