70 lines
3.5 KiB
Plaintext
70 lines
3.5 KiB
Plaintext
diff -ur --unidirectional-new-file skipsrc-1.0.orig/doc/README.FreeBSD+NAT work.new/doc/README.FreeBSD+NAT
|
|
--- skipsrc-1.0.orig/doc/README.FreeBSD+NAT Wed Dec 31 16:00:00 1969
|
|
+++ work.new/doc/README.FreeBSD+NAT Mon Jan 24 12:35:42 2000
|
|
@@ -0,0 +1,65 @@
|
|
+Using SKIP and FreeBSD's NAT (Network Address Translation) together
|
|
+-------------------------------------------------------------------
|
|
+
|
|
+Skip and NAT are two very popular strategies for building secure
|
|
+networks with FreeBSD. They are sometimes believed to be incompatable
|
|
+when applied to the same interface. They will work together, however,
|
|
+when correctly configured. This document addresses the reference
|
|
+implementation of SKIP (1.0) and natd as implemented through ipfw.
|
|
+
|
|
+The key to understanding the operation of SKIP and NAT in parallel is to
|
|
+realize that inbound packets traverse the ipfw ruleset twice - once as an
|
|
+encapsulated packet and once as an de-encapsulated packet with the
|
|
+original destination address restored. Outbound packets, on the other
|
|
+hand, make a single pass in the unencapsulated state. This understanding
|
|
+can be used to advantage in building a nomadic SKIP server. A nomadic SKIP
|
|
+server allows any host equipped with a SKIP client to connect to the
|
|
+Internet (eg. via a dialup connection to an ISP) and then establish a
|
|
+secure connection to the nomadic SKIP server allowing full access to a
|
|
+Local Area Network. Because the remote host may have a different IP
|
|
+address each time it connects it is known as a nomad and its KeyID is
|
|
+used for identification rather than the IP address identification normally
|
|
+used to establish authenticity.
|
|
+
|
|
+The primary difficulty in setting up a nomadic server in conjunction with
|
|
+NAT is not in reaching in to the LAN but in returning a response to the
|
|
+remote host. The remote host IP address cannot, by definition, be known
|
|
+in advance. Further - authentication of the remote host and
|
|
+identification of its IP address by the SKIP module does not proceed to
|
|
+update the routing tables in the kernel. A LAN host receiving a
|
|
+connection request has insufficient information to reply to the remote
|
|
+host either via a static route or by dynamic routing.
|
|
+
|
|
+This leads to the requirement that the nomadic server must be in-line
|
|
+between the Internet and the LAN so that all packets not destined for the
|
|
+LAN are routed to the nomadic server by the gateway address in the LAN
|
|
+host.
|
|
+
|
|
+The second requirement is to prevent NAT from interfering. NAT does
|
|
+not bother the SKIP pass as the packet header is directed to the
|
|
+nat/skiphost. You can count the inbound SKIP packets as they
|
|
+can be identified by the SKIP protocol (57). Use an ipfw rule
|
|
+before the NAT rule such as:
|
|
+
|
|
+00010 allow skip from any to any in recv fxp0
|
|
+00100 divert 8668 ip from any to any via fxp0
|
|
+
|
|
+assuming that skip is identified as 57 in /etc/protocols.
|
|
+
|
|
+A rule is required for the de-encrypted packets to allow them to be
|
|
+forwarded to the LAN by the routing mechanism without interference from
|
|
+NAT during the second pass:
|
|
+
|
|
+00010 allow skip from any to any in recv fxp0
|
|
+00020 allow ip from any to 192.168.0.0/24 in recv fxp0
|
|
+00100 divert 8668 ip from any to any via fxp0
|
|
+
|
|
+Now you can have nomadic hosts connect securely as part of the LAN and
|
|
+hosts on the LAN can continue to access the Internet through NAT. Of
|
|
+course, you have to configure the skiphost ACL correctly and setup the
|
|
+SKIP client on the nomad to match but that's covered in the
|
|
+documentation.
|
|
+
|
|
+Jim Flowers <jflowers@ezo.net>
|
|
+#4 ISP on C|NET, #1 in Ohio
|
|
+
|