| README.nat (26031) | README.nat (36466) |
|---|---|
| 1User PPP Packet Aliasing 2 3 4 50. Contents 6 1. Background 7 2. Setup 8 3. New commands in ppp 9 4. Future Work | 1User PPP Packet Aliasing 2 3 4 50. Contents 6 1. Background 7 2. Setup 8 3. New commands in ppp 9 4. Future Work |
| 10 5. Authors / Acknowledgments | 10 5. Authors / Acknowledgements |
| 11 6. Revision History for Aliasing Code 12 13 14 151. Background 16 17User mode ppp has embedded packet aliasing (IP masquerading) code. 18Enabling this, either by the "-alias" command line option or the --- 28 unchanged lines hidden (view full) --- 47for the cases where exception code exists. This implementation has 48workarounds for FTP and IRC DCC, the most well known of the IP encoding 49protocols. This frees users from depending on using the ftp passive 50mode and avoiding IRC DCC sends, as is sometimes the case with other 51masquerading solutions. 52 53The implementation supports all standard, non-encoding TCP and UDP protocols. 54Examples of these protocols are http, gopher and telnet. The standard UDP | 11 6. Revision History for Aliasing Code 12 13 14 151. Background 16 17User mode ppp has embedded packet aliasing (IP masquerading) code. 18Enabling this, either by the "-alias" command line option or the --- 28 unchanged lines hidden (view full) --- 47for the cases where exception code exists. This implementation has 48workarounds for FTP and IRC DCC, the most well known of the IP encoding 49protocols. This frees users from depending on using the ftp passive 50mode and avoiding IRC DCC sends, as is sometimes the case with other 51masquerading solutions. 52 53The implementation supports all standard, non-encoding TCP and UDP protocols. 54Examples of these protocols are http, gopher and telnet. The standard UDP |
| 55mode of RealAudio is not presently supported, but the TCP mode does work | 55mode of Real-Audio is not presently supported, but the TCP mode does work |
| 56correctly. 57 58The packet aliasing code also handle many ICMP messages. In particular, 59ping and traceroute are supported. 60 61 62 632. Packet Aliasing Setup --- 17 unchanged lines hidden (view full) --- 81you should also verify that machines within the local area network 82communicate properly. A common error is inconsistent subnet addresses 83and masks. 84 85 86 873. New commands in ppp 88 | 56correctly. 57 58The packet aliasing code also handle many ICMP messages. In particular, 59ping and traceroute are supported. 60 61 62 632. Packet Aliasing Setup --- 17 unchanged lines hidden (view full) --- 81you should also verify that machines within the local area network 82communicate properly. A common error is inconsistent subnet addresses 83and masks. 84 85 86 873. New commands in ppp 88 |
| 89In order to control aliasing behavior in a simple manner (no need for 90recompilation), a new command has been added to iij-ppp: alias. This | 89In order to control aliasing behaviour in a simple manner (no need for 90recompilation), a new command has been added to ppp: alias. This |
| 91is in addition to the -alias command line option. System managers and | 91is in addition to the -alias command line option. System managers and |
| 92more experienced users may prefer to use the iij-ppp command syntax | 92more experienced users may prefer to use the ppp command syntax |
| 93within the ppp.conf file. The alias command also allows packet aliasing | 93within the ppp.conf file. The alias command also allows packet aliasing |
| 94behavior to be more precisely specified. | 94behaviour to be more precisely specified. |
| 95 96The decision to add a command instead of extending 'set' or 'option' was 97to make obvious that these options only work when aliasing is enabled. 98 99The syntax for 'alias' is 100 101 ppp> alias option [yes|no] 102 --- 11 unchanged lines hidden (view full) --- 114 115 116 - alias deny_incoming [yes|no] (default yes) 117 118Set to "yes" to disable all incoming connections. This just drops 119connections to, for example, ftp, telnet or web servers. The aliasing 120mechanism prevents these connections. Technically, this option denies 121all incoming TCP and UDP requests, making the aliasing software a | 95 96The decision to add a command instead of extending 'set' or 'option' was 97to make obvious that these options only work when aliasing is enabled. 98 99The syntax for 'alias' is 100 101 ppp> alias option [yes|no] 102 --- 11 unchanged lines hidden (view full) --- 114 115 116 - alias deny_incoming [yes|no] (default yes) 117 118Set to "yes" to disable all incoming connections. This just drops 119connections to, for example, ftp, telnet or web servers. The aliasing 120mechanism prevents these connections. Technically, this option denies 121all incoming TCP and UDP requests, making the aliasing software a |
| 122fairly efficient one-way firewall. The default is no, which will | 122fairly efficient one-way firewall. The default is no, which will allow |
| 123all incoming connections to telnetd, ftpd, etc. 124 125 126 - alias log [yes|no] 127 128Controls logging of alias link creation to "/var/log/alias.log" - this 129is usually only useful if debugging a setup, to see if the bug is in 130the PPP aliasing. The debugging information is fairly limited, listing | 123all incoming connections to telnetd, ftpd, etc. 124 125 126 - alias log [yes|no] 127 128Controls logging of alias link creation to "/var/log/alias.log" - this 129is usually only useful if debugging a setup, to see if the bug is in 130the PPP aliasing. The debugging information is fairly limited, listing |
| 131the number of aliasing links open for different prototocols. | 131the number of aliasing links open for different protocols. |
| 132 133 134 - alias same_ports [yes|no] (default yes) 135 136When a connection is being established going through the aliasing 137routines, it will normally have its port number changed to allow the 138aliasing code to track it. If same_ports is enabled, the alias 139software attempts to keep the connection's source port unchanged. | 132 133 134 - alias same_ports [yes|no] (default yes) 135 136When a connection is being established going through the aliasing 137routines, it will normally have its port number changed to allow the 138aliasing code to track it. If same_ports is enabled, the alias 139software attempts to keep the connection's source port unchanged. |
| 140This will allow rsh, RPC and other specialized protocols to work | 140This will allow rsh, RPC and other specialised protocols to work |
| 141_most of the time_, at least on the host machine. Please, do not 142report this being unstable as a bug - it is a result of the way 143aliasing has to work. TCP/IP was intended to have one IP address 144per machine. 145 146 147 - alias use_sockets [yes|no] (default yes) 148 149This is a fairly obscure option. For the most part, the packet aliasing 150software does not have to allocate system sockets when it chooses an 151aliasing port number. Under very specific circumstances, FTP data | 141_most of the time_, at least on the host machine. Please, do not 142report this being unstable as a bug - it is a result of the way 143aliasing has to work. TCP/IP was intended to have one IP address 144per machine. 145 146 147 - alias use_sockets [yes|no] (default yes) 148 149This is a fairly obscure option. For the most part, the packet aliasing 150software does not have to allocate system sockets when it chooses an 151aliasing port number. Under very specific circumstances, FTP data |
| 152connections (which don't know the remote port nubmer, though it is | 152connections (which don't know the remote port number, though it is |
| 153usually 20) and IRC DCC send (which doesn't know either the address or 154the port from which the connection will come), there can potentially be 155some interference with an open server socket having the same port number | 153usually 20) and IRC DCC send (which doesn't know either the address or 154the port from which the connection will come), there can potentially be 155some interference with an open server socket having the same port number |
| 156on the ppp host machine. This possibility for interferience only exists | 156on the ppp host machine. This possibility for interference only exists |
| 157until the TCP connection has been acknowledged on both sides. The safe 158option is yes, though fewer system resources are consumed by specifying 159no. 160 161 162 - alias unregistered_only [yes|no] (default no) 163 164Packet aliasing normally remaps all packets coming from the local area --- 13 unchanged lines hidden (view full) --- 178- alias port <proto> <local addr>:<port> <alias port> 179 180This command allows incoming traffic to <alias port> on the host 181machine to be redirected to a specific machine and port on the 182local area network. One example of this would be: 183 184 alias port tcp 192.168.0.4:telnet 8066 185 | 157until the TCP connection has been acknowledged on both sides. The safe 158option is yes, though fewer system resources are consumed by specifying 159no. 160 161 162 - alias unregistered_only [yes|no] (default no) 163 164Packet aliasing normally remaps all packets coming from the local area --- 13 unchanged lines hidden (view full) --- 178- alias port <proto> <local addr>:<port> <alias port> 179 180This command allows incoming traffic to <alias port> on the host 181machine to be redirected to a specific machine and port on the 182local area network. One example of this would be: 183 184 alias port tcp 192.168.0.4:telnet 8066 185 |
| 186All traffic to port 8066 fthe ppp host would then be sent to | 186All traffic to port 8066 of the ppp host would then be sent to |
| 187the telnet port (23) of machine 192.168.0.4. Port numbers 188can either be designated numerically or by symbolic names 189listed in /etc/services. Similarly, addresses can be either 190in dotted quad notation or in /etc/hosts. 191 192 193- alias addr <local addr> <public addr> 194 --- 5 unchanged lines hidden (view full) --- 200IP addresses to the user, but it can even be used in the 201case of a single, dynamically allocated IP address: 202 203 alias addr 10.0.0.8 0 204 205The above command would redirect all incoming traffic to 206machine 10.0.0.8. 207 | 187the telnet port (23) of machine 192.168.0.4. Port numbers 188can either be designated numerically or by symbolic names 189listed in /etc/services. Similarly, addresses can be either 190in dotted quad notation or in /etc/hosts. 191 192 193- alias addr <local addr> <public addr> 194 --- 5 unchanged lines hidden (view full) --- 200IP addresses to the user, but it can even be used in the 201case of a single, dynamically allocated IP address: 202 203 alias addr 10.0.0.8 0 204 205The above command would redirect all incoming traffic to 206machine 10.0.0.8. 207 |
| 208If several address aliases specifiy the same public addres | 208If several address aliases specify the same public address |
| 209as follows 210 211 alias addr 192.168.0.2 public_addr 212 alias addr 192.168.0.3 public_addr 213 alias addr 192.168.0.4 public_addr 214 | 209as follows 210 211 alias addr 192.168.0.2 public_addr 212 alias addr 192.168.0.3 public_addr 213 alias addr 192.168.0.4 public_addr 214 |
| 215then incoming traffice will be directed to the last | 215then incoming traffic will be directed to the last |
| 216translated local address (192.168.0.4), but outgoing 217traffic to the first two addresses will still be aliased 218to the specified public address. 219 220 221 2224. Future Work 223 --- 10 unchanged lines hidden (view full) --- 234IRC and FTP exception handling make reasonable, though not strictly correct 235assumptions, about how IP encoded messages will appear in the control 236stream. Programmers may wish to consider how to make this process more 237robust. 238 239The packet aliasing engine (alias.c, alias_db.c, alias_ftp.c, alias_irc.c 240and alias_util.c) runs in user space, and is intended to be both portable 241and reusable for interfaces other than ppp. To access the basic engine | 216translated local address (192.168.0.4), but outgoing 217traffic to the first two addresses will still be aliased 218to the specified public address. 219 220 221 2224. Future Work 223 --- 10 unchanged lines hidden (view full) --- 234IRC and FTP exception handling make reasonable, though not strictly correct 235assumptions, about how IP encoded messages will appear in the control 236stream. Programmers may wish to consider how to make this process more 237robust. 238 239The packet aliasing engine (alias.c, alias_db.c, alias_ftp.c, alias_irc.c 240and alias_util.c) runs in user space, and is intended to be both portable 241and reusable for interfaces other than ppp. To access the basic engine |
| 242only requires four simple function calls (initialization, communication of | 242only requires four simple function calls (initialisation, communication of |
| 243host address, outgoing aliasing and incoming de-aliasing). 244 245 246 | 243host address, outgoing aliasing and incoming de-aliasing). 244 245 246 |
| 2475. Authors / Acknowledgments | 2475. Authors / Acknowledgements |
| 248 249Charles Mott (cmott@srv.net) <versions 1.0 - 1.8, 2.0, 2.1> 250Eivind Eklund (perhaps@yes.no) <versions 1.8b - 1.9, new ppp commands> 251 252Listed below, in chronological order, are individuals who have provided 253valuable comments and/or debugging assistance. 254 255 Gary Roberts --- 14 unchanged lines hidden (view full) --- 270 271Version 1.1: August 20, 1996 (cjm) 272 PPP host accepts incoming connections for ports 0 to 1023. 273 274Version 1.2: September 7, 1996 (cjm) 275 Fragment handling error in alias_db.c corrected. 276 277Version 1.3: September 15, 1996 (cjm) | 248 249Charles Mott (cmott@srv.net) <versions 1.0 - 1.8, 2.0, 2.1> 250Eivind Eklund (perhaps@yes.no) <versions 1.8b - 1.9, new ppp commands> 251 252Listed below, in chronological order, are individuals who have provided 253valuable comments and/or debugging assistance. 254 255 Gary Roberts --- 14 unchanged lines hidden (view full) --- 270 271Version 1.1: August 20, 1996 (cjm) 272 PPP host accepts incoming connections for ports 0 to 1023. 273 274Version 1.2: September 7, 1996 (cjm) 275 Fragment handling error in alias_db.c corrected. 276 277Version 1.3: September 15, 1996 (cjm) |
| 278 - Generalized mechanism for handling incoming connections | 278 - Generalised mechanism for handling incoming connections |
| 279 (no more 0 to 1023 restriction). 280 - Increased ICMP support (will handle traceroute now). 281 - Improved TCP close connection logic. 282 283Version 1.4: September 16, 1996 284 Can't remember (this version only lasted a day -- cjm). 285 286Version 1.5: September 17, 1996 (cjm) 287 Corrected error in handling incoming UDP packets 288 with zero checksum. 289 290Version 1.6: September 18, 1996 291 Simplified ICMP data storage. Will now handle 292 tracert from Win95 as well as FreeBSD traceroute. 293 | 279 (no more 0 to 1023 restriction). 280 - Increased ICMP support (will handle traceroute now). 281 - Improved TCP close connection logic. 282 283Version 1.4: September 16, 1996 284 Can't remember (this version only lasted a day -- cjm). 285 286Version 1.5: September 17, 1996 (cjm) 287 Corrected error in handling incoming UDP packets 288 with zero checksum. 289 290Version 1.6: September 18, 1996 291 Simplified ICMP data storage. Will now handle 292 tracert from Win95 as well as FreeBSD traceroute. 293 |
| 294Verstion 1.7: January 9, 1997 (cjm) | 294Version 1.7: January 9, 1997 (cjm) |
| 295 - Reduced malloc() activity for ICMP echo and 296 timestamp requests. 297 - Added handling for out-of-order IP fragments. 298 - Switched to differential checksum computation 299 for IP headers (TCP, UDP and ICMP checksums 300 were already differential). 301 - Accepts FTP data connections from other than 302 port 20. This allows one ftp connections 303 from two hosts which are both running packet 304 aliasing. 305 | 295 - Reduced malloc() activity for ICMP echo and 296 timestamp requests. 297 - Added handling for out-of-order IP fragments. 298 - Switched to differential checksum computation 299 for IP headers (TCP, UDP and ICMP checksums 300 were already differential). 301 - Accepts FTP data connections from other than 302 port 20. This allows one ftp connections 303 from two hosts which are both running packet 304 aliasing. 305 |
| 306Verstion 1.8: January 14, 1997 (cjm) | 306Version 1.8: January 14, 1997 (cjm) |
| 307 - Fixed data type error in function StartPoint() 308 in alias_db.c (this bug did not exist before v1.7) 309 310Version 1.8b: January 16, 1997 (Eivind Eklund <perhaps@yes.no>) | 307 - Fixed data type error in function StartPoint() 308 in alias_db.c (this bug did not exist before v1.7) 309 310Version 1.8b: January 16, 1997 (Eivind Eklund <perhaps@yes.no>) |
| 311 - Upgraded base PPP version to be the sourcecode from | 311 - Upgraded base PPP version to be the source code from |
| 312 FreeBSD 2.1.6, with additional security patches. This 313 version should still be possible to run on 2.1.5, though - 314 I've run it with a 2.1.5 kernel without problems. 315 (Update done with the permission of cjm) 316 317Version 1.9: February 1, 1997 (Eivind Eklund <perhaps@yes.no>) 318 - Added support for IRC DCC (ee) 319 - Changed the aliasing routines to use ANSI style throughout - --- 10 unchanged lines hidden (view full) --- 330 disable this for debugging) (cjm) 331 - Sockets will be allocated in cases where there might be 332 port interference with the host machine. This can be disabled 333 in cases where the ppp host will be acting purely as a 334 masquerading router and not generate any traffic of its own. 335 (cjm) 336 337Version 2.0: March, 1997 (cjm) | 312 FreeBSD 2.1.6, with additional security patches. This 313 version should still be possible to run on 2.1.5, though - 314 I've run it with a 2.1.5 kernel without problems. 315 (Update done with the permission of cjm) 316 317Version 1.9: February 1, 1997 (Eivind Eklund <perhaps@yes.no>) 318 - Added support for IRC DCC (ee) 319 - Changed the aliasing routines to use ANSI style throughout - --- 10 unchanged lines hidden (view full) --- 330 disable this for debugging) (cjm) 331 - Sockets will be allocated in cases where there might be 332 port interference with the host machine. This can be disabled 333 in cases where the ppp host will be acting purely as a 334 masquerading router and not generate any traffic of its own. 335 (cjm) 336 337Version 2.0: March, 1997 (cjm) |
| 338 - Incoming packets which are not recognized by the packet | 338 - Incoming packets which are not recognised by the packet |
| 339 aliasing engine are now completely dropped in ip.c. 340 - Aliasing links are cleared when a host interface address | 339 aliasing engine are now completely dropped in ip.c. 340 - Aliasing links are cleared when a host interface address |
| 341 changes (due to re-dial and dynamic address allocatioa). | 341 changes (due to re-dial and dynamic address allocation). |
| 342 - PacketAliasPermanentLink() API added. 343 - Option for only aliasing private, unregistered IP addresses 344 added. 345 - Substantial rework to the aliasing lookup engine. 346 347Version 2.1: May, 1997 (cjm) 348 - Continuing rework to the aliasing lookup engine to support 349 multiple incoming addresses and static NAT. | 342 - PacketAliasPermanentLink() API added. 343 - Option for only aliasing private, unregistered IP addresses 344 added. 345 - Substantial rework to the aliasing lookup engine. 346 347Version 2.1: May, 1997 (cjm) 348 - Continuing rework to the aliasing lookup engine to support 349 multiple incoming addresses and static NAT. |
| 350 - Now supports outgoing as well as incoming ICMP error messges/ | 350 - Now supports outgoing as well as incoming ICMP error messages/ |
| 351 - PPP commands to support address and port redirection. 352 | 351 - PPP commands to support address and port redirection. 352 |