On Wednesday 10 November 2004 13:12, Chris Dickens wrote:
> Does this pf on OpenBSD support bouncing of packets from the internal
> network on external IPs as I've been constantly flustered with m0n0wall's
> inability to do?
The simple answer is yes - sort of.
This issue is common to all firewall systems built around packet filters (and
that includes PIX and FW-1). The problem lies within the way in which NAT is
implemented on what is, basically, a router with attitude.
PF does have a solution to this problem, but it can limit what you do in other
parts of the rulebase. There are other solutions, based on simple proxies,
that are more elegant and this is how the 'bouncing' system works.
Take a look at the pf FAQ (ftp://ftp.openbsd.org/pub/OpenBSD/doc/pf-faq.txt)
in the NAT section and you will see the problem described along with three
different solutions that have varying degrees of efficiency.
> From a 100 mile up perspective, how much trouble could it truly be to chop
> down OpenBSD to the basics like Manuel has done and port the web interface
> over to the OpenBSD platform then let everyone try and decide for
> themselves which is better? Isn't the source code available for porting?
> I'm sure minihttp and php and those things are also available on OpenBSD...
Like so many things in life, it is more complicated than it looks at first
glance. I have been working away quietly at doing just this for a while, but
progress is slow with so many other things that are more urgent (including
the OpenVPN stuff).
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.