From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from tb-mx0.topicbox.com (localhost.local [127.0.0.1]) by tb-mx0.topicbox.com (Postfix) with ESMTP id 38FF425E1D6E for <9fans@9fans.net>; Fri, 8 May 2020 12:45:50 -0400 (EDT) (envelope-from g_patrickb@yahoo.com) Received: from tb-mx0.topicbox.com (localhost [127.0.0.1]) by tb-mx0.topicbox.com (Authentication Milter) with ESMTP id D50BF10C289; Fri, 8 May 2020 12:45:50 -0400 ARC-Seal: i=1; a=rsa-sha256; cv=none; d=topicbox.com; s=arcseal; t= 1588956350; b=U00pWnRVTyf0TzlELchijvLgjKcysZvuXQJ1QA/NHVZ026dU8X lp1Y/QvmaZ6rt5iDRcyG0rMA1diQkCUzX6te2zhjiikJGrr585b0HKQR5FpmgD5Z dMaxAtvcBAnD4rPm4AorXpAuZi+IikInftaXghpk3G5IoeIA4tS0LGp61wl/WWJ1 kt+Fq6WSKcK6sLAH+y2mPT0WDSlw5JFfk1/iigc3Lqi2Qbsz1FQorh/1+xL5p/si CXlda79kAW0W19fU1EohTbdxlMsTUHLKAukWcEjitIsHc7zQZCBnYtE8XKqWCjKq OS+88oqHg3dsjtoNljyS6xxJW8vnuPT35eEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= topicbox.com; h=date:from:to:message-id:subject:mime-version :content-type:references; s=arcseal; t=1588956350; bh=9fACCIY9PP Y7wqUVZhVrk7h3dweQ+i/29Z7yNfWjcKc=; b=RUfIpxN44xargopbylK58U4vLy LI06Zwf0MOGEiPymztPUH1Fm7LcsZrC5CZUeifjOThQobLilecXeJQdPEAiHr8Wd p46nBwQec2yxQEcC1PcBvD4gHfcSlPQE1NVCk/9rcH/IunYorTtVPflu7JwRlbtA 0IYXp+nHQv0pGOY6pJ7YHuh/S2fpMi1USVIcO6Bwix6cN4alYisEjYeJ9r+Fk+bh 7MlV2rzoilde35Vbux+rWNTVAuF7B4Uw6uaGbblxVNGYuJvNG3UZTM3qeGvDDoAZ wyHGMY3xQiBbKaCCghxisZyl9g8uTNvuOFexvH6oQ/OuSqB3fxiU6GyGaUCw== ARC-Authentication-Results: i=1; tb-mx0.topicbox.com; arc=none (no signatures found); bimi=none (Domain is not BIMI enabled); dkim=pass (2048-bit rsa key sha256) header.d=yahoo.com header.i=@yahoo.com header.b=eH+0iHwI header.a=rsa-sha256 header.s=s2048 x-bits=2048; dmarc=pass policy.published-domain-policy=reject policy.applied-disposition=none policy.evaluated-disposition=none (p=reject,d=none,d.eval=none) policy.policy-from=p header.from=yahoo.com; iprev=pass smtp.remote-ip=66.163.191.147 (sonic304-21.consmr.mail.ne1.yahoo.com); spf=pass smtp.mailfrom=g_patrickb@yahoo.com smtp.helo=sonic304-21.consmr.mail.ne1.yahoo.com; x-aligned-from=pass (Address match); x-ptr=pass smtp.helo=sonic304-21.consmr.mail.ne1.yahoo.com policy.ptr=sonic304-21.consmr.mail.ne1.yahoo.com; x-return-mx=pass header.domain=yahoo.com policy.is_org=yes (MX Records found: mta7.am0.yahoodns.net,mta5.am0.yahoodns.net,mta6.am0.yahoodns.net); x-return-mx=pass smtp.domain=yahoo.com policy.is_org=yes (MX Records found: mta7.am0.yahoodns.net,mta5.am0.yahoodns.net,mta6.am0.yahoodns.net); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=-100 state=0 Authentication-Results: tb-mx0.topicbox.com; arc=none (no signatures found); bimi=none (Domain is not BIMI enabled); dkim=pass (2048-bit rsa key sha256) header.d=yahoo.com header.i=@yahoo.com header.b=eH+0iHwI header.a=rsa-sha256 header.s=s2048 x-bits=2048; dmarc=pass policy.published-domain-policy=reject policy.applied-disposition=none policy.evaluated-disposition=none (p=reject,d=none,d.eval=none) policy.policy-from=p header.from=yahoo.com; iprev=pass smtp.remote-ip=66.163.191.147 (sonic304-21.consmr.mail.ne1.yahoo.com); spf=pass smtp.mailfrom=g_patrickb@yahoo.com smtp.helo=sonic304-21.consmr.mail.ne1.yahoo.com; x-aligned-from=pass (Address match); x-ptr=pass smtp.helo=sonic304-21.consmr.mail.ne1.yahoo.com policy.ptr=sonic304-21.consmr.mail.ne1.yahoo.com; x-return-mx=pass header.domain=yahoo.com policy.is_org=yes (MX Records found: mta7.am0.yahoodns.net,mta5.am0.yahoodns.net,mta6.am0.yahoodns.net); x-return-mx=pass smtp.domain=yahoo.com policy.is_org=yes (MX Records found: mta7.am0.yahoodns.net,mta5.am0.yahoodns.net,mta6.am0.yahoodns.net); x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES256-GCM-SHA384 smtp.bits=256/256; x-vs=clean score=-100 state=0 X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgeduhedrjeekgddvvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnth hsucdlqddutddtmdenucfjughrpeffhffvkffugggtfhfosegrtdgssgertdejnecuhfhr ohhmpefiuceuuceoghgpphgrthhrihgtkhgsseihrghhohhordgtohhmqeenucggtffrrg htthgvrhhnpedtkeeigeffgfeggedvveefjeefteevudfhteegveefffeijedugfdtteef udfhfeenucfkphepieeirdduieefrdduledurddugeejnecuvehluhhsthgvrhfuihiivg eptdenucfrrghrrghmpehinhgvthepieeirdduieefrdduledurddugeejpdhhvghlohep shhonhhitgeftdegqddvuddrtghonhhsmhhrrdhmrghilhdrnhgvuddrhigrhhhoohdrtg homhdpmhgrihhlfhhrohhmpeeoghgpphgrthhrihgtkhgsseihrghhohhordgtohhmqe X-ME-VSScore: -100 X-ME-VSCategory: clean Received-SPF: pass (yahoo.com ... _spf.mail.yahoo.com: 66.163.191.147 is authorized to use 'g_patrickb@yahoo.com' in 'mfrom' identity (mechanism 'ptr:yahoo.com' matched)) receiver=tb-mx0.topicbox.com; identity=mailfrom; envelope-from="g_patrickb@yahoo.com"; helo=sonic304-21.consmr.mail.ne1.yahoo.com; client-ip=66.163.191.147 Received: from sonic304-21.consmr.mail.ne1.yahoo.com (sonic304-21.consmr.mail.ne1.yahoo.com [66.163.191.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by tb-mx0.topicbox.com (Postfix) with ESMTPS for <9fans@9fans.net>; Fri, 8 May 2020 12:45:49 -0400 (EDT) (envelope-from g_patrickb@yahoo.com) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1588956349; bh=9fACCIY9PPY7wqUVZhVrk7h3dweQ+i/29Z7yNfWjcKc=; h=Date:From:To:Subject:References:From:Subject; b=eH+0iHwIlif3nbKNgCI64NTfT7tpb+CHAhNsTQAV8/vsYhr3/jSlBQKvR5RX8SqSuik1QYc/kEp/b7fpqGaWblpB+TwyiWbJTRqSofYQywic5poB44Tb5TK2F2NcrFTlcu9OHkpi7ReaRdAUZSlQb8/RA9DBDJyPBQsrZVJatRQHbqMAuci2s5wJtcXhCzEdytCFyeWq3XgHqdqQb/fl8sN1lEdAt1YkoJbhSEIhPcokpunsNqTnMNNorO41LUvcPhvtF4trKVnQsLU2Ers/8PCERRoMIN6mI7RQBq5AnZUTeVmoB+oEgVgUC4ZEW+/B4D9iJtOrOrFdfLfs0hkOdw== X-YMail-OSG: CkAAoUwVM1kc8ycE5FV0oVU9ygEn.mk22D.l_eKWa2FkHyzcWWlpsMZyBy3Pfae Qe6R3sa5OyW8jLdQ9fafR35B2JzBjfGwDnaQNMflog5JZ8bOpbxLSZoG3huKEoHxXAPAqRMmwb8l BXKOGokzIUBph3fcmpwlX.SIlVqWhZkxLugqc4fBciK_Nl4zv7GxfT1g0Em_lB30AFPRqTxP4JDO IYZbIqacAZHzxfwSEsLAZ2KX5aTHoHuPaEKcGvRTs8eF0NvQ85NhvXqv.UJT6ufJeBDkPc86NbCE H3cNRtXe_b65bW5peKhA77rVGNnnQ.gd5CW.SIS4eOkH6.aaOMzX67zDxqpBv7u4W9gl8xWLSwQv juALBwyAUNaRTFWd7ICvfj9FZsAp8eCa.z.XkQptzJuFUsmtDb9pTmFmUcT2XFR3gqwvTyfaGwGk EJUwoaECzUpZpJ4_qz119vSrK6HvaAxzqmbuacJM3n3MZdf2eqm0YwcTwBD9m9TSj5YVyXFGWYB1 ndkZ507_j7asuvJnFJ_bEUPDGzXrY_PgpdJXV2ze7hb4FyvvY86vzA_4uALV_a8vtFm_furBqLUa A1wlN6oS52IthC4NlyF7vur23o8HeuHVf91stUa3OGm_wDflZqX9yKxZWtqqnzfVB1w3yFCq6Ll5 KXaD8s.uVguxZYDzmEIq7CJg3FtwdaF_mAgjwFCuGoRFJ29c52AYaqVVBwexqpq35cu6Lc6pExvH CY.9QIM7s.Psv7OmxAz5H9T7hG6uayZxfbLbvSOE7btNqSZ.sJqESZvcmjYvvzk0r9zHVExMudzl 8Er9kVgDmjYfEq4Oz9d4ql4TEGa3AFn23F_iSrwuVVXnZxk0bBFuKUJdYAyOeEy03qocJCyeeaI7 _jCnhDy9CHHUOKAYvc882G8iNyS1ba9XL.gqMCB0fGRKKNn4.ejE2Dqve0MsKJwgmxN2DgK1kQWn ApAYvkacxhPCERxjWB6enTFmOMv8uESNbPf7.AZakBBBtI1x1vbACt5aNEqQhSi26qLCFNcfwSQB 0RApoKuNkuwIPT2gtiyXPvoi6xYIh5ID_IWNpEl84es66xk1pdDQxOUPq0A9E96IRORzKIjqdbBy 1HbmBfV7GnhgeOGVJYmGYyMA6kDrU0NuGGfhba2N1HcFVMb7lZdlY.AH9Nw5tem.EN6p75xR3kSO GSAQbMpDZQKBOxX.dhQ4_17NaQ_fofHVIe1yRT3FQ8q4FVjEXNWox1S0Q8CJXV.CMMHmOx4aZqi9 u4fRFrXVA7gunpcoMajoijAxiRcTz0LFQJFdt6ZoQIWX9yAd0gBFm3an_M1D1H17Aqg-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic304.consmr.mail.ne1.yahoo.com with HTTP; Fri, 8 May 2020 16:45:49 +0000 Date: Fri, 8 May 2020 16:45:46 +0000 (UTC) From: G B To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Message-ID: <1088262094.244310.1588956346600@mail.yahoo.com> Subject: Firewall/NAT and importing outside interface MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_244309_1215997908.1588956346599" References: <1088262094.244310.1588956346600.ref@mail.yahoo.com> X-Mailer: WebService/1.1.15902 YMailNorrin Mozilla/5.0 (X11; SunOS i86pc; rv:60.0) Gecko/20100101 Firefox/60.0 Topicbox-Policy-Reasoning: allow: sender is a member Topicbox-Message-UUID: 62a6e6c4-914b-11ea-b2a6-bd1e840ffc17 ------=_Part_244309_1215997908.1588956346599 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I ran across this old post by Dave Presotto when someone inquired about Pla= n 9 as a firewall: If you have multiple Plan 9 machines, you can use one as an inside/outside= =20 machine and just import it's outside interface onto the inside=20 machines. =C2=A0For example, this is how we configure our outside interfac= e.=20 =20 =C2=A0 =C2=A0 =C2=A0 =C2=A0 # second ethernet to serve the outside IP=20 =C2=A0 =C2=A0 =C2=A0 =C2=A0 echo starting ether 1 to the outside=20 =C2=A0 =C2=A0 =C2=A0 =C2=A0 bind -b '#l1' /net.alt=20 =C2=A0 =C2=A0 =C2=A0 =C2=A0 bind -b '#I1' /net.alt=20 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ip/ipconfig -x /net.alt -g 204.178.31.1 ether = /net.alt/ether1 204.178.31.2 255.255.255.0=20 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ndb/cs -x /net.alt -f /lib/ndb/external=20 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ndb/dns -sx /net.alt -f /lib/ndb/external=20 =C2=A0 =C2=A0 =C2=A0 =C2=A0 aux/listen -d /rc/bin/service.alt -t /rc/bin/s= ervice.alt.auth /net.alt/tcp=20 =C2=A0 =C2=A0 =C2=A0 =C2=A0 aux/listen -d /rc/bin/service.alt /net.alt/il= =20 =20 Then you can import that interface to inside machines.=20 =20 =C2=A0 =C2=A0 =C2=A0 =C2=A0 import achille /net.alt /net.alt=20 =20 This has the advantage of letting you announce nothing on the outside so th= at=20 you don't have to worry about attacks. =C2=A0You can do anything you want = on the=20 inside and packets can't get out. **************=20 If one is running a mail server and has it inside their firewall and if usi= ng one IP then t has to use NAT. Couldn't one presumeably use the setup abo= ve and run a mail server on Plan 9 and bypass having to use NAT?=C2=A0 And = also do the same thing for a web server? ------=_Part_244309_1215997908.1588956346599 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
= I ran across this old post by Dave Presotto when someone inquired about Pla= n 9 as a firewall:

If you have multiple Plan 9 machines, you can use one as an inside/outsi= de

machine and just import it's outside interface onto the inside=
machines.  For example, this is how we configure our outside int= erface.

        # second ethernet to serve = the outside IP
        echo starting ether 1 to th= e outside
        bind -b '#l1' /net.alt
&nbs= p;       bind -b '#I1' /net.alt
      &n= bsp; ip/ipconfig -x /net.alt -g 204.178.31.1 ether /net.alt/ether1 204.178.= 31.2 255.255.255.0
        ndb/cs -x /net.alt -f /= lib/ndb/external
        ndb/dns -sx /net.alt -f /= lib/ndb/external
        aux/listen -d /rc/bin/ser= vice.alt -t /rc/bin/service.alt.auth /net.alt/tcp
     =   aux/listen -d /rc/bin/service.alt /net.alt/il

Then you = can import that interface to inside machines.

    &nb= sp;   import achille /net.alt /net.alt

This has the advantage= of letting you announce nothing on the outside so that
you don't have= to worry about attacks.  You can do anything you want on the
ins= ide and packets can't get out.
**************

=
If one is running a mail server and = has it inside their firewall and if using one IP then t has to use NAT. Cou= ldn't one presumeably use the setup above and run a mail server on Plan 9 a= nd bypass having to use NAT?  And also do the same thing for a web ser= ver?


------=_Part_244309_1215997908.1588956346599--