Re: Annoying NAT problem

["J.C. Roberts" <unknown@abac.com>]

On Thu, 1 Mar 2001 13:11:33 -0700 (MST), you wrote:

>telnet mailserver 25.
>
>My internet connection is comming into a hub. On this hub is several
>machines including my BSD box and the Win98 box. The BSD box is
>24.108.86.247 and 192.168.1.1. The Win98 machine is 192.168.1.48.
>
>Believe it or not I'm using Putty to type this.
>
>This is far from my problem
>Thanks for the help.... er something.

Hmmm... I'm at a loss for a good answer (or better yet a documented
one ;) but I remember reading something about not being able to do
this someplace during the last few days. The closest thing to a
documented expression of it is in the ipf-howto (below). It only
mentions redirection (rdr) rather than map but the same may be true
for both.


http://www.obfuscation.org/ipf/ipf-howto.html#TOC_33
---------------------------------------------------------
The rdr function is applied to packets that enter
the firewall on the specified interface.  When a packet comes
in that matches a rdr rule, its destination address is
then rewritten, it is pushed into ipf for filtering,
and should it successfully run the gauntlet of filter rules, it
is then sent to the unix routing code.  Since this packet is still
inbound on the same interface that it will need to leave
the system on to reach a host, the system gets confused. Reflectors
don't work.  Neither does specifying the address of the interface
the packet just came in on.  Always remember that rdr
destinations must exit out of the firewall host on a different
interface. 
---------------------------------------------------------

grrr... I wish I could remember where I read about the problem of
passing packets both in and out of the same NIC. It may have been on
the ipfilter mailing list but the only searchable archive of it does
_OR_ matching between terms. I tried "using one NIC card" and got 54K
hits. You might want to try posting to that list. It's worth a try...


Best Regards,

J.C. Roberts