Firewall/NAT and importing outside interface

Firewall/NAT and importing outside interface

[G B]

[-- Attachment #1: Type: text/plain, Size: 1466 bytes --]

I ran across this old post by Dave Presotto when someone inquired about Plan 9 as a firewall:
If you have multiple Plan 9 machines, you can use one as an inside/outside 
 machine and just import it's outside interface onto the inside 
 machines.  For example, this is how we configure our outside interface. 
 

        # second ethernet to serve the outside IP 
         echo starting ether 1 to the outside 
         bind -b '#l1' /net.alt 
         bind -b '#I1' /net.alt 
         ip/ipconfig -x /net.alt -g 204.178.31.1 ether /net.alt/ether1 204.178.31.2 255.255.255.0 
         ndb/cs -x /net.alt -f /lib/ndb/external 
         ndb/dns -sx /net.alt -f /lib/ndb/external 
         aux/listen -d /rc/bin/service.alt -t /rc/bin/service.alt.auth /net.alt/tcp 
         aux/listen -d /rc/bin/service.alt /net.alt/il 
 

Then you can import that interface to inside machines. 
 

        import achille /net.alt /net.alt 
 
This has the advantage of letting you announce nothing on the outside so that 
 you don't have to worry about attacks.  You can do anything you want on the 
 inside and packets can't get out. ************** 

If one is running a mail server and has it inside their firewall and if using one IP then t has to use NAT. Couldn't one presumeably use the setup above and run a mail server on Plan 9 and bypass having to use NAT?  And also do the same thing for a web server?


[-- Attachment #2: Type: text/html, Size: 2196 bytes --]

Re: [9fans] Firewall/NAT and importing outside interface

[hiro]

you can also have multiple ipstacks, working ipv6 and what have you.
cinap fixed a bunch of stuff in this regard.

it's much more like linux network namespaces now, no limits to your
creativity...

Re: [9fans] Firewall/NAT and importing outside interface

[Robert Sherwood]

[-- Attachment #1: Type: text/plain, Size: 691 bytes --]

I love the idea of importing the external interface to get outside the
network. When I first read about this in Plan9, that's when the system
really "clicked" for me.

On Fri, May 8, 2020 at 1:08 PM hiro <23hiro@gmail.com> wrote:

> you can also have multiple ipstacks, working ipv6 and what have you.
> cinap fixed a bunch of stuff in this regard.
>
> it's much more like linux network namespaces now, no limits to your
> creativity...
>
> ------------------------------------------
> 9fans: 9fans
> Permalink:
> https://9fans.topicbox.com/groups/9fans/Te43262c53bc71855-M9383be68c88caf7d73dc38d6
> Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
>

[-- Attachment #2: Type: text/html, Size: 1230 bytes --]

Re: [9fans] Firewall/NAT and importing outside interface

[Charles Forsyth]

[-- Attachment #1: Type: text/plain, Size: 2095 bytes --]

>
> If one is running a mail server and has it inside their firewall and if
> using one IP then t has to use NAT. Couldn't one presumeably use the setup
> above and run a mail server on Plan 9 and bypass having to use NAT?  And
> also do the same thing for a web server?


Yes, I do that. The example you quoted creates two independent IP stacks,
starting with the default '#I0' IP stack on ether0, then adding a new IP
stack '#I1' connected to ether1 (#l1).
There is a separate TCP/IP, UDP/IP, ICMP etc for each stack. I also import
/net from a Linux server via Inferno (on Linux) so I can send mail from a
non-RBLd address.
You can create several types of virtual interface ("medium") on the IP
stack, connected to a user-mode process. See pkg and netdev in ip(3)

  I still have a router with NAT though for non-Plan 9 machines. I never
got round to writing a NAT for Plan 9 (which could work in user mode).

On Fri, May 8, 2020 at 7:55 PM Robert Sherwood <robert.sherwood@gmail.com>
wrote:

> I love the idea of importing the external interface to get outside the
> network. When I first read about this in Plan9, that's when the system
> really "clicked" for me.
>
> On Fri, May 8, 2020 at 1:08 PM hiro <23hiro@gmail.com> wrote:
>
>> you can also have multiple ipstacks, working ipv6 and what have you.
>> cinap fixed a bunch of stuff in this regard.
>>
>> it's much more like linux network namespaces now, no limits to your
>> creativity...
>>
>> ------------------------------------------
>> 9fans: 9fans
>> Permalink:
>> https://9fans.topicbox.com/groups/9fans/Te43262c53bc71855-M9383be68c88caf7d73dc38d6
>> Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
>>
> *9fans <https://9fans.topicbox.com/latest>* / 9fans / see discussions
> <https://9fans.topicbox.com/groups/9fans> + participants
> <https://9fans.topicbox.com/groups/9fans/members> + delivery options
> <https://9fans.topicbox.com/groups/9fans/subscription> Permalink
> <https://9fans.topicbox.com/groups/9fans/Te43262c53bc71855-M5a51a5f17a7747f354e5309b>
>

[-- Attachment #2: Type: text/html, Size: 3694 bytes --]