* Firewall/NAT and importing outside interface [not found] <1088262094.244310.1588956346600.ref@mail.yahoo.com> @ 2020-05-08 16:45 ` G B 2020-05-08 17:07 ` [9fans] " hiro 0 siblings, 1 reply; 4+ messages in thread From: G B @ 2020-05-08 16:45 UTC (permalink / raw) To: Fans of the OS Plan 9 from Bell Labs [-- Attachment #1: Type: text/plain, Size: 1466 bytes --] I ran across this old post by Dave Presotto when someone inquired about Plan 9 as a firewall: If you have multiple Plan 9 machines, you can use one as an inside/outside machine and just import it's outside interface onto the inside machines. For example, this is how we configure our outside interface. # second ethernet to serve the outside IP echo starting ether 1 to the outside bind -b '#l1' /net.alt bind -b '#I1' /net.alt ip/ipconfig -x /net.alt -g 204.178.31.1 ether /net.alt/ether1 204.178.31.2 255.255.255.0 ndb/cs -x /net.alt -f /lib/ndb/external ndb/dns -sx /net.alt -f /lib/ndb/external aux/listen -d /rc/bin/service.alt -t /rc/bin/service.alt.auth /net.alt/tcp aux/listen -d /rc/bin/service.alt /net.alt/il Then you can import that interface to inside machines. import achille /net.alt /net.alt This has the advantage of letting you announce nothing on the outside so that you don't have to worry about attacks. You can do anything you want on the inside and packets can't get out. ************** If one is running a mail server and has it inside their firewall and if using one IP then t has to use NAT. Couldn't one presumeably use the setup above and run a mail server on Plan 9 and bypass having to use NAT? And also do the same thing for a web server? [-- Attachment #2: Type: text/html, Size: 2196 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [9fans] Firewall/NAT and importing outside interface 2020-05-08 16:45 ` Firewall/NAT and importing outside interface G B @ 2020-05-08 17:07 ` hiro 2020-05-08 18:53 ` Robert Sherwood 0 siblings, 1 reply; 4+ messages in thread From: hiro @ 2020-05-08 17:07 UTC (permalink / raw) To: 9fans you can also have multiple ipstacks, working ipv6 and what have you. cinap fixed a bunch of stuff in this regard. it's much more like linux network namespaces now, no limits to your creativity... ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [9fans] Firewall/NAT and importing outside interface 2020-05-08 17:07 ` [9fans] " hiro @ 2020-05-08 18:53 ` Robert Sherwood 2020-05-10 18:04 ` Charles Forsyth 0 siblings, 1 reply; 4+ messages in thread From: Robert Sherwood @ 2020-05-08 18:53 UTC (permalink / raw) To: 9fans [-- Attachment #1: Type: text/plain, Size: 691 bytes --] I love the idea of importing the external interface to get outside the network. When I first read about this in Plan9, that's when the system really "clicked" for me. On Fri, May 8, 2020 at 1:08 PM hiro <23hiro@gmail.com> wrote: > you can also have multiple ipstacks, working ipv6 and what have you. > cinap fixed a bunch of stuff in this regard. > > it's much more like linux network namespaces now, no limits to your > creativity... > > ------------------------------------------ > 9fans: 9fans > Permalink: > https://9fans.topicbox.com/groups/9fans/Te43262c53bc71855-M9383be68c88caf7d73dc38d6 > Delivery options: https://9fans.topicbox.com/groups/9fans/subscription > [-- Attachment #2: Type: text/html, Size: 1230 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [9fans] Firewall/NAT and importing outside interface 2020-05-08 18:53 ` Robert Sherwood @ 2020-05-10 18:04 ` Charles Forsyth 0 siblings, 0 replies; 4+ messages in thread From: Charles Forsyth @ 2020-05-10 18:04 UTC (permalink / raw) To: 9fans [-- Attachment #1: Type: text/plain, Size: 2095 bytes --] > > If one is running a mail server and has it inside their firewall and if > using one IP then t has to use NAT. Couldn't one presumeably use the setup > above and run a mail server on Plan 9 and bypass having to use NAT? And > also do the same thing for a web server? Yes, I do that. The example you quoted creates two independent IP stacks, starting with the default '#I0' IP stack on ether0, then adding a new IP stack '#I1' connected to ether1 (#l1). There is a separate TCP/IP, UDP/IP, ICMP etc for each stack. I also import /net from a Linux server via Inferno (on Linux) so I can send mail from a non-RBLd address. You can create several types of virtual interface ("medium") on the IP stack, connected to a user-mode process. See pkg and netdev in ip(3) I still have a router with NAT though for non-Plan 9 machines. I never got round to writing a NAT for Plan 9 (which could work in user mode). On Fri, May 8, 2020 at 7:55 PM Robert Sherwood <robert.sherwood@gmail.com> wrote: > I love the idea of importing the external interface to get outside the > network. When I first read about this in Plan9, that's when the system > really "clicked" for me. > > On Fri, May 8, 2020 at 1:08 PM hiro <23hiro@gmail.com> wrote: > >> you can also have multiple ipstacks, working ipv6 and what have you. >> cinap fixed a bunch of stuff in this regard. >> >> it's much more like linux network namespaces now, no limits to your >> creativity... >> >> ------------------------------------------ >> 9fans: 9fans >> Permalink: >> https://9fans.topicbox.com/groups/9fans/Te43262c53bc71855-M9383be68c88caf7d73dc38d6 >> Delivery options: https://9fans.topicbox.com/groups/9fans/subscription >> > *9fans <https://9fans.topicbox.com/latest>* / 9fans / see discussions > <https://9fans.topicbox.com/groups/9fans> + participants > <https://9fans.topicbox.com/groups/9fans/members> + delivery options > <https://9fans.topicbox.com/groups/9fans/subscription> Permalink > <https://9fans.topicbox.com/groups/9fans/Te43262c53bc71855-M5a51a5f17a7747f354e5309b> > [-- Attachment #2: Type: text/html, Size: 3694 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-05-10 18:04 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <1088262094.244310.1588956346600.ref@mail.yahoo.com> 2020-05-08 16:45 ` Firewall/NAT and importing outside interface G B 2020-05-08 17:07 ` [9fans] " hiro 2020-05-08 18:53 ` Robert Sherwood 2020-05-10 18:04 ` Charles Forsyth
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).