1*86d7f5d3SJohn MarinoCopyright (c) 2001 Charles Mott <cm@linktel.net> 2*86d7f5d3SJohn MarinoAll rights reserved. 3*86d7f5d3SJohn Marino 4*86d7f5d3SJohn MarinoRedistribution and use in source and binary forms, with or without 5*86d7f5d3SJohn Marinomodification, are permitted provided that the following conditions 6*86d7f5d3SJohn Marinoare met: 7*86d7f5d3SJohn Marino1. Redistributions of source code must retain the above copyright 8*86d7f5d3SJohn Marino notice, this list of conditions and the following disclaimer. 9*86d7f5d3SJohn Marino2. Redistributions in binary form must reproduce the above copyright 10*86d7f5d3SJohn Marino notice, this list of conditions and the following disclaimer in the 11*86d7f5d3SJohn Marino documentation and/or other materials provided with the distribution. 12*86d7f5d3SJohn Marino 13*86d7f5d3SJohn MarinoTHIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14*86d7f5d3SJohn MarinoANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15*86d7f5d3SJohn MarinoIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16*86d7f5d3SJohn MarinoARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17*86d7f5d3SJohn MarinoFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18*86d7f5d3SJohn MarinoDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19*86d7f5d3SJohn MarinoOR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20*86d7f5d3SJohn MarinoHOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21*86d7f5d3SJohn MarinoLIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22*86d7f5d3SJohn MarinoOUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23*86d7f5d3SJohn MarinoSUCH DAMAGE. 24*86d7f5d3SJohn Marino 25*86d7f5d3SJohn Marino$FreeBSD: src/usr.sbin/ppp/README.nat,v 1.4.4.4 2002/09/01 02:12:22 brian Exp $ 26*86d7f5d3SJohn Marino$DragonFly: src/usr.sbin/ppp/README.nat,v 1.2 2003/06/17 04:30:00 dillon Exp $ 27*86d7f5d3SJohn Marino 28*86d7f5d3SJohn MarinoUser PPP NAT (Packet Aliasing) 29*86d7f5d3SJohn Marino 30*86d7f5d3SJohn Marino 31*86d7f5d3SJohn Marino 32*86d7f5d3SJohn Marino0. Contents 33*86d7f5d3SJohn Marino 1. Background 34*86d7f5d3SJohn Marino 2. Setup 35*86d7f5d3SJohn Marino 3. New commands in ppp 36*86d7f5d3SJohn Marino 4. Future Work 37*86d7f5d3SJohn Marino 5. Authors / Acknowledgements 38*86d7f5d3SJohn Marino 6. Revision History for Aliasing Code 39*86d7f5d3SJohn Marino 40*86d7f5d3SJohn Marino 41*86d7f5d3SJohn Marino 42*86d7f5d3SJohn Marino1. Background 43*86d7f5d3SJohn Marino 44*86d7f5d3SJohn MarinoUser mode ppp has embedded NAT (Network Address Translation) code. 45*86d7f5d3SJohn MarinoEnabling this, either by the "-nat" command line option or the 46*86d7f5d3SJohn Marino"nat enable yes" command in a ppp.conf file, makes the ppp host 47*86d7f5d3SJohn Marinoautomatically NAT IP packets forwarded from a local network, making 48*86d7f5d3SJohn Marinothem appear to come from the ppp host machine. Incoming packets 49*86d7f5d3SJohn Marinofrom the outside world are then appropriately de-NAT'd. 50*86d7f5d3SJohn Marino 51*86d7f5d3SJohn MarinoThe process of NAT'ing involves both the IP address and the TCP or UDP 52*86d7f5d3SJohn Marinoport numbers. ICMP echo and timestamp packets are natted by their id 53*86d7f5d3SJohn Marinonumbers. ICMP error messages can be properly directed by examining the 54*86d7f5d3SJohn Marinofragment of the offending packet which is contained in the body of the 55*86d7f5d3SJohn Marinomessage. 56*86d7f5d3SJohn Marino 57*86d7f5d3SJohn MarinoThis software was specifically meant to support users who have 58*86d7f5d3SJohn Marinounregistered, private address IP networks (e.g. 192.168.0.x or 10.0.0.x 59*86d7f5d3SJohn Marinoaddresses). The ppp host can act as a gateway for these networks, and 60*86d7f5d3SJohn Marinocomputers on the local area net will have some degree of Internet access 61*86d7f5d3SJohn Marinowithout the need for a registered IP address. Additionally, there will 62*86d7f5d3SJohn Marinobe no need for an Internet service provider to maintain routing tables 63*86d7f5d3SJohn Marinofor the local area network. 64*86d7f5d3SJohn Marino 65*86d7f5d3SJohn MarinoA disadvantage of NAT is that machines on the local network, 66*86d7f5d3SJohn Marinobehind the ppp host, are not visible from the outside world. They can 67*86d7f5d3SJohn Marinoestablish TCP connections and make UDP inquiries (such as domain name 68*86d7f5d3SJohn Marinoservice requests) but the connections seem to come from the ppp host 69*86d7f5d3SJohn Marinoitself. There is, in effect, a partial firewall. Of course, if this is 70*86d7f5d3SJohn Marinowhat you want, the disadvantage becomes an advantage. 71*86d7f5d3SJohn Marino 72*86d7f5d3SJohn MarinoA second disadvantage is that "IP encoding" protocols, which send IP 73*86d7f5d3SJohn Marinoaddress or port information within the data stream, are not supported 74*86d7f5d3SJohn Marinofor the cases where exception code exists. This implementation has 75*86d7f5d3SJohn Marinoworkarounds for FTP and IRC DCC, the most well known of the IP encoding 76*86d7f5d3SJohn Marinoprotocols. This frees users from depending on using the ftp passive 77*86d7f5d3SJohn Marinomode and avoiding IRC DCC sends, as is sometimes the case with other 78*86d7f5d3SJohn Marinomasquerading solutions. 79*86d7f5d3SJohn Marino 80*86d7f5d3SJohn MarinoThe implementation supports all standard, non-encoding TCP and UDP protocols. 81*86d7f5d3SJohn MarinoExamples of these protocols are http, gopher and telnet. The standard UDP 82*86d7f5d3SJohn Marinomode of Real-Audio is not presently supported, but the TCP mode does work 83*86d7f5d3SJohn Marinocorrectly. 84*86d7f5d3SJohn Marino 85*86d7f5d3SJohn MarinoThe NAT code also handles many ICMP messages. In particular, 86*86d7f5d3SJohn Marinoping and traceroute are supported. 87*86d7f5d3SJohn Marino 88*86d7f5d3SJohn Marino 89*86d7f5d3SJohn Marino 90*86d7f5d3SJohn Marino2. Packet Aliasing Setup 91*86d7f5d3SJohn Marino 92*86d7f5d3SJohn MarinoIt is recommended that users first verify correct ppp operation without 93*86d7f5d3SJohn MarinoNAT enabled. This will confirm that the ppp.conf file is 94*86d7f5d3SJohn Marinoproperly set up and that there are no ppp problems. Then start ppp with 95*86d7f5d3SJohn Marinothe "-nat" option on the command line. The user should verify that 96*86d7f5d3SJohn Marinothe ppp host can correctly connect to the Internet in NAT 97*86d7f5d3SJohn Marinomode. Finally, check that machines on the private network can access 98*86d7f5d3SJohn Marinothe Internet. 99*86d7f5d3SJohn Marino 100*86d7f5d3SJohn MarinoThe NAT software handles all packets, whether they come from 101*86d7f5d3SJohn Marinothe host or another computer on the local area network. Thus, a correctly 102*86d7f5d3SJohn Marinooperating ppp host indicates that the software should work properly for 103*86d7f5d3SJohn Marinoother computers on the private network. 104*86d7f5d3SJohn Marino 105*86d7f5d3SJohn MarinoIf the ppp host can access the Internet, but other computers on the local 106*86d7f5d3SJohn Marinonetwork cannot, check that IP forwarding is enabled on the ppp host. Also, 107*86d7f5d3SJohn Marinoverify that the other computers use this machine as a gateway. Of course, 108*86d7f5d3SJohn Marinoyou should also verify that machines within the local area network 109*86d7f5d3SJohn Marinocommunicate properly. A common error is inconsistent subnet addresses 110*86d7f5d3SJohn Marinoand masks. 111*86d7f5d3SJohn Marino 112*86d7f5d3SJohn Marino 113*86d7f5d3SJohn Marino 114*86d7f5d3SJohn Marino3. New commands in ppp 115*86d7f5d3SJohn Marino 116*86d7f5d3SJohn MarinoIn order to control NAT behaviour in a simple manner (no need for 117*86d7f5d3SJohn Marinorecompilation), a new command has been added to ppp: nat. This 118*86d7f5d3SJohn Marinois in addition to the -nat command line option. System managers and 119*86d7f5d3SJohn Marinomore experienced users may prefer to use the ppp command syntax 120*86d7f5d3SJohn Marinowithin the ppp.conf file. The nat command also allows NAT 121*86d7f5d3SJohn Marinobehaviour to be more precisely specified. 122*86d7f5d3SJohn Marino 123*86d7f5d3SJohn MarinoThe decision to add a command instead of extending 'set' or 'option' was 124*86d7f5d3SJohn Marinoto make obvious that these options only work when NAT is enabled. 125*86d7f5d3SJohn Marino 126*86d7f5d3SJohn MarinoThe syntax for 'nat' is 127*86d7f5d3SJohn Marino 128*86d7f5d3SJohn Marino ppp> nat option [yes|no] 129*86d7f5d3SJohn Marino 130*86d7f5d3SJohn Marinowhere option is given by one of the following templates. 131*86d7f5d3SJohn Marino 132*86d7f5d3SJohn Marino 133*86d7f5d3SJohn Marino - nat enable [yes|no] (default no) 134*86d7f5d3SJohn Marino 135*86d7f5d3SJohn MarinoEnable NAT functionality. If disabled, no other NAT 136*86d7f5d3SJohn Marinooptions will have any effect. You should usually enable NAT 137*86d7f5d3SJohn Marinobefore routing any packets over the link; good points are in the 138*86d7f5d3SJohn Marinoinitial script or right before adding a route. If you do not always 139*86d7f5d3SJohn Marinowant NAT, consider using the -nat option to ppp instead of this 140*86d7f5d3SJohn Marinocommand. 141*86d7f5d3SJohn Marino 142*86d7f5d3SJohn Marino 143*86d7f5d3SJohn Marino - nat deny_incoming [yes|no] (default yes) 144*86d7f5d3SJohn Marino 145*86d7f5d3SJohn MarinoSet to "yes" to disable all incoming connections. This just drops 146*86d7f5d3SJohn Marinoconnections to, for example, ftp, telnet or web servers. The NAT 147*86d7f5d3SJohn Marinomechanism prevents these connections. Technically, this option denies 148*86d7f5d3SJohn Marinoall incoming TCP and UDP requests, making the NAT software a 149*86d7f5d3SJohn Marinofairly efficient one-way firewall. The default is no, which will allow 150*86d7f5d3SJohn Marinoall incoming connections to telnetd, ftpd, etc. 151*86d7f5d3SJohn Marino 152*86d7f5d3SJohn Marino 153*86d7f5d3SJohn Marino - nat log [yes|no] 154*86d7f5d3SJohn Marino 155*86d7f5d3SJohn MarinoControls logging of NAT link creation to "/var/log/alias.log" - this 156*86d7f5d3SJohn Marinois usually only useful if debugging a setup, to see if the bug is in 157*86d7f5d3SJohn Marinothe PPP NATing. The debugging information is fairly limited, listing 158*86d7f5d3SJohn Marinothe number of NAT links open for different protocols. 159*86d7f5d3SJohn Marino 160*86d7f5d3SJohn Marino 161*86d7f5d3SJohn Marino - nat same_ports [yes|no] (default yes) 162*86d7f5d3SJohn Marino 163*86d7f5d3SJohn MarinoWhen a connection is being established going through the NAT 164*86d7f5d3SJohn Marinoroutines, it will normally have its port number changed to allow the 165*86d7f5d3SJohn MarinoNAT code to track it. If same_ports is enabled, the NAT 166*86d7f5d3SJohn Marinosoftware attempts to keep the connection's source port unchanged. 167*86d7f5d3SJohn MarinoThis will allow rsh, RPC and other specialised protocols to work 168*86d7f5d3SJohn Marino_most of the time_, at least on the host machine. Please, do not 169*86d7f5d3SJohn Marinoreport this being unstable as a bug - it is a result of the way 170*86d7f5d3SJohn MarinoNAT has to work. TCP/IP was intended to have one IP address 171*86d7f5d3SJohn Marinoper machine. 172*86d7f5d3SJohn Marino 173*86d7f5d3SJohn Marino 174*86d7f5d3SJohn Marino - nat use_sockets [yes|no] (default yes) 175*86d7f5d3SJohn Marino 176*86d7f5d3SJohn MarinoThis is a fairly obscure option. For the most part, the NAT 177*86d7f5d3SJohn Marinosoftware does not have to allocate system sockets when it chooses a 178*86d7f5d3SJohn MarinoNAT port number. Under very specific circumstances, FTP data 179*86d7f5d3SJohn Marinoconnections (which don't know the remote port number, though it is 180*86d7f5d3SJohn Marinousually 20) and IRC DCC send (which doesn't know either the address or 181*86d7f5d3SJohn Marinothe port from which the connection will come), there can potentially be 182*86d7f5d3SJohn Marinosome interference with an open server socket having the same port number 183*86d7f5d3SJohn Marinoon the ppp host machine. This possibility for interference only exists 184*86d7f5d3SJohn Marinountil the TCP connection has been acknowledged on both sides. The safe 185*86d7f5d3SJohn Marinooption is yes, though fewer system resources are consumed by specifying 186*86d7f5d3SJohn Marinono. 187*86d7f5d3SJohn Marino 188*86d7f5d3SJohn Marino 189*86d7f5d3SJohn Marino - nat unregistered_only [yes|no] (default no) 190*86d7f5d3SJohn Marino 191*86d7f5d3SJohn MarinoNAT normally remaps all packets coming from the local area 192*86d7f5d3SJohn Marinonetwork to the ppp host machine address. Set this option to only map 193*86d7f5d3SJohn Marinoaddresses from the following standard ranges for private, unregistered 194*86d7f5d3SJohn Marinoaddresses: 195*86d7f5d3SJohn Marino 196*86d7f5d3SJohn Marino 10.0.0.0 -> 10.255.255.255 197*86d7f5d3SJohn Marino 172.16.0.0 -> 172.31.255.255 198*86d7f5d3SJohn Marino 192.168.0.0 -> 192.168.255.255 */ 199*86d7f5d3SJohn Marino 200*86d7f5d3SJohn MarinoIn the instance that there is a subnet of public addresses and another 201*86d7f5d3SJohn Marinosubnet of private addresses being routed by the ppp host, then only the 202*86d7f5d3SJohn Marinopackets on the private subnet will be NAT'd. 203*86d7f5d3SJohn Marino 204*86d7f5d3SJohn Marino 205*86d7f5d3SJohn Marino- nat port <proto> <local addr>:<port> <nat port> 206*86d7f5d3SJohn Marino 207*86d7f5d3SJohn MarinoThis command allows incoming traffic to <nat port> on the host 208*86d7f5d3SJohn Marinomachine to be redirected to a specific machine and port on the 209*86d7f5d3SJohn Marinolocal area network. One example of this would be: 210*86d7f5d3SJohn Marino 211*86d7f5d3SJohn Marino nat port tcp 192.168.0.4:telnet 8066 212*86d7f5d3SJohn Marino 213*86d7f5d3SJohn MarinoAll traffic to port 8066 of the ppp host would then be sent to 214*86d7f5d3SJohn Marinothe telnet port (23) of machine 192.168.0.4. Port numbers 215*86d7f5d3SJohn Marinocan either be designated numerically or by symbolic names 216*86d7f5d3SJohn Marinolisted in /etc/services. Similarly, addresses can be either 217*86d7f5d3SJohn Marinoin dotted quad notation or in /etc/hosts. 218*86d7f5d3SJohn Marino 219*86d7f5d3SJohn Marino 220*86d7f5d3SJohn Marino- nat addr <local addr> <public addr> 221*86d7f5d3SJohn Marino 222*86d7f5d3SJohn MarinoThis command allows traffic for a public IP address to be 223*86d7f5d3SJohn Marinoredirected to a machine on the local network. This function 224*86d7f5d3SJohn Marinois known as "static NAT". An address assignment of 0 refers 225*86d7f5d3SJohn Marinoto the default address of the ppp host. Normally static 226*86d7f5d3SJohn MarinoNAT is useful if your ISP has allocated a small block of 227*86d7f5d3SJohn MarinoIP addresses to the user, but it can even be used in the 228*86d7f5d3SJohn Marinocase of a single, dynamically allocated IP address: 229*86d7f5d3SJohn Marino 230*86d7f5d3SJohn Marino nat addr 10.0.0.8 0 231*86d7f5d3SJohn Marino 232*86d7f5d3SJohn MarinoThe above command would redirect all incoming traffic to 233*86d7f5d3SJohn Marinomachine 10.0.0.8. 234*86d7f5d3SJohn Marino 235*86d7f5d3SJohn MarinoIf several address NATs specify the same public address 236*86d7f5d3SJohn Marinoas follows 237*86d7f5d3SJohn Marino 238*86d7f5d3SJohn Marino nat addr 192.168.0.2 public_addr 239*86d7f5d3SJohn Marino nat addr 192.168.0.3 public_addr 240*86d7f5d3SJohn Marino nat addr 192.168.0.4 public_addr 241*86d7f5d3SJohn Marino 242*86d7f5d3SJohn Marinothen incoming traffic will be directed to the last 243*86d7f5d3SJohn Marinotranslated local address (192.168.0.4), but outgoing 244*86d7f5d3SJohn Marinotraffic to the first two addresses will still be NAT'd 245*86d7f5d3SJohn Marinoto the specified public address. 246*86d7f5d3SJohn Marino 247*86d7f5d3SJohn Marino 248*86d7f5d3SJohn Marino 249*86d7f5d3SJohn Marino4. Future Work 250*86d7f5d3SJohn Marino 251*86d7f5d3SJohn MarinoWhat is called NAT here has been variously called masquerading, packet 252*86d7f5d3SJohn Marinoaliasing and transparent proxying by others. It is an extremely useful 253*86d7f5d3SJohn Marinofunction to many users, but it is also necessarily imperfect. The 254*86d7f5d3SJohn Marinooccasional IP-encoding protocols always need workarounds (hacks). 255*86d7f5d3SJohn MarinoUsers who are interested in supporting new IP-encoding protocols 256*86d7f5d3SJohn Marinocan follow the examples of alias_ftp.c and alias_irc.c. 257*86d7f5d3SJohn Marino 258*86d7f5d3SJohn MarinoICMP error messages are currently handled only in the incoming direction. 259*86d7f5d3SJohn MarinoA handler needs to be added to correctly NAT outgoing error messages. 260*86d7f5d3SJohn Marino 261*86d7f5d3SJohn MarinoIRC and FTP exception handling make reasonable, though not strictly correct 262*86d7f5d3SJohn Marinoassumptions, about how IP encoded messages will appear in the control 263*86d7f5d3SJohn Marinostream. Programmers may wish to consider how to make this process more 264*86d7f5d3SJohn Marinorobust. 265*86d7f5d3SJohn Marino 266*86d7f5d3SJohn MarinoThe NAT engine (alias.c, alias_db.c, alias_ftp.c, alias_irc.c 267*86d7f5d3SJohn Marinoand alias_util.c) runs in user space, and is intended to be both portable 268*86d7f5d3SJohn Marinoand reusable for interfaces other than ppp. To access the basic engine 269*86d7f5d3SJohn Marinoonly requires four simple function calls (initialisation, communication of 270*86d7f5d3SJohn Marinohost address, outgoing NAT and incoming de-NATing). 271*86d7f5d3SJohn Marino 272*86d7f5d3SJohn Marino 273*86d7f5d3SJohn Marino 274*86d7f5d3SJohn Marino5. Authors / Acknowledgements 275*86d7f5d3SJohn Marino 276*86d7f5d3SJohn MarinoCharles Mott (cm@linktel.net) <versions 1.0 - 1.8, 2.0, 2.1> 277*86d7f5d3SJohn MarinoEivind Eklund (perhaps@yes.no) <versions 1.8b - 1.9, new ppp commands> 278*86d7f5d3SJohn Marino 279*86d7f5d3SJohn MarinoListed below, in chronological order, are individuals who have provided 280*86d7f5d3SJohn Marinovaluable comments and/or debugging assistance. 281*86d7f5d3SJohn Marino 282*86d7f5d3SJohn Marino Gary Roberts 283*86d7f5d3SJohn Marino Tom Torrance 284*86d7f5d3SJohn Marino Reto Burkhalter 285*86d7f5d3SJohn Marino Martin Renters 286*86d7f5d3SJohn Marino Brian Somers 287*86d7f5d3SJohn Marino Paul Traina 288*86d7f5d3SJohn Marino Ari Suutari 289*86d7f5d3SJohn Marino J. Fortes 290*86d7f5d3SJohn Marino Andrzej Bialeki 291*86d7f5d3SJohn Marino 292*86d7f5d3SJohn Marino 293*86d7f5d3SJohn Marino 294*86d7f5d3SJohn Marino6. Revision History for Aliasing Code 295*86d7f5d3SJohn Marino 296*86d7f5d3SJohn MarinoVersion 1.0: August 11, 1996 (cjm) 297*86d7f5d3SJohn Marino 298*86d7f5d3SJohn MarinoVersion 1.1: August 20, 1996 (cjm) 299*86d7f5d3SJohn Marino PPP host accepts incoming connections for ports 0 to 1023. 300*86d7f5d3SJohn Marino 301*86d7f5d3SJohn MarinoVersion 1.2: September 7, 1996 (cjm) 302*86d7f5d3SJohn Marino Fragment handling error in alias_db.c corrected. 303*86d7f5d3SJohn Marino 304*86d7f5d3SJohn MarinoVersion 1.3: September 15, 1996 (cjm) 305*86d7f5d3SJohn Marino - Generalised mechanism for handling incoming connections 306*86d7f5d3SJohn Marino (no more 0 to 1023 restriction). 307*86d7f5d3SJohn Marino - Increased ICMP support (will handle traceroute now). 308*86d7f5d3SJohn Marino - Improved TCP close connection logic. 309*86d7f5d3SJohn Marino 310*86d7f5d3SJohn MarinoVersion 1.4: September 16, 1996 311*86d7f5d3SJohn Marino Can't remember (this version only lasted a day -- cjm). 312*86d7f5d3SJohn Marino 313*86d7f5d3SJohn MarinoVersion 1.5: September 17, 1996 (cjm) 314*86d7f5d3SJohn Marino Corrected error in handling incoming UDP packets 315*86d7f5d3SJohn Marino with zero checksum. 316*86d7f5d3SJohn Marino 317*86d7f5d3SJohn MarinoVersion 1.6: September 18, 1996 318*86d7f5d3SJohn Marino Simplified ICMP data storage. Will now handle 319*86d7f5d3SJohn Marino tracert from Win95 as well as FreeBSD traceroute. 320*86d7f5d3SJohn Marino 321*86d7f5d3SJohn MarinoVersion 1.7: January 9, 1997 (cjm) 322*86d7f5d3SJohn Marino - Reduced malloc() activity for ICMP echo and 323*86d7f5d3SJohn Marino timestamp requests. 324*86d7f5d3SJohn Marino - Added handling for out-of-order IP fragments. 325*86d7f5d3SJohn Marino - Switched to differential checksum computation 326*86d7f5d3SJohn Marino for IP headers (TCP, UDP and ICMP checksums 327*86d7f5d3SJohn Marino were already differential). 328*86d7f5d3SJohn Marino - Accepts FTP data connections from other than 329*86d7f5d3SJohn Marino port 20. This allows one ftp connections 330*86d7f5d3SJohn Marino from two hosts which are both running packet 331*86d7f5d3SJohn Marino aliasing. 332*86d7f5d3SJohn Marino 333*86d7f5d3SJohn MarinoVersion 1.8: January 14, 1997 (cjm) 334*86d7f5d3SJohn Marino - Fixed data type error in function StartPoint() 335*86d7f5d3SJohn Marino in alias_db.c (this bug did not exist before v1.7) 336*86d7f5d3SJohn Marino 337*86d7f5d3SJohn MarinoVersion 1.8b: January 16, 1997 (Eivind Eklund <perhaps@yes.no>) 338*86d7f5d3SJohn Marino - Upgraded base PPP version to be the source code from 339*86d7f5d3SJohn Marino FreeBSD 2.1.6, with additional security patches. This 340*86d7f5d3SJohn Marino version should still be possible to run on 2.1.5, though - 341*86d7f5d3SJohn Marino I've run it with a 2.1.5 kernel without problems. 342*86d7f5d3SJohn Marino (Update done with the permission of cjm) 343*86d7f5d3SJohn Marino 344*86d7f5d3SJohn MarinoVersion 1.9: February 1, 1997 (Eivind Eklund <perhaps@yes.no>) 345*86d7f5d3SJohn Marino - Added support for IRC DCC (ee) 346*86d7f5d3SJohn Marino - Changed the aliasing routines to use ANSI style throughout - 347*86d7f5d3SJohn Marino minor API changes for integration with other programs than PPP (ee) 348*86d7f5d3SJohn Marino - Changed the build process, making all options switchable 349*86d7f5d3SJohn Marino from the Makefile (ee) 350*86d7f5d3SJohn Marino - Fixed minor security hole in alias_ftp.c for other applications 351*86d7f5d3SJohn Marino of the aliasing software. Hole could _not_ manifest in 352*86d7f5d3SJohn Marino PPP+pktAlias, but could potentially manifest in other 353*86d7f5d3SJohn Marino applications of the aliasing. (ee) 354*86d7f5d3SJohn Marino - Connections initiated from packet aliasing host machine will 355*86d7f5d3SJohn Marino not have their port number aliased unless it conflicts with 356*86d7f5d3SJohn Marino an aliasing port already being used. (There is an option to 357*86d7f5d3SJohn Marino disable this for debugging) (cjm) 358*86d7f5d3SJohn Marino - Sockets will be allocated in cases where there might be 359*86d7f5d3SJohn Marino port interference with the host machine. This can be disabled 360*86d7f5d3SJohn Marino in cases where the ppp host will be acting purely as a 361*86d7f5d3SJohn Marino masquerading router and not generate any traffic of its own. 362*86d7f5d3SJohn Marino (cjm) 363*86d7f5d3SJohn Marino 364*86d7f5d3SJohn MarinoVersion 2.0: March, 1997 (cjm) 365*86d7f5d3SJohn Marino - Incoming packets which are not recognised by the packet 366*86d7f5d3SJohn Marino aliasing engine are now completely dropped in ip.c. 367*86d7f5d3SJohn Marino - Aliasing links are cleared when a host interface address 368*86d7f5d3SJohn Marino changes (due to re-dial and dynamic address allocation). 369*86d7f5d3SJohn Marino - PacketAliasPermanentLink() API added. 370*86d7f5d3SJohn Marino - Option for only aliasing private, unregistered IP addresses 371*86d7f5d3SJohn Marino added. 372*86d7f5d3SJohn Marino - Substantial rework to the aliasing lookup engine. 373*86d7f5d3SJohn Marino 374*86d7f5d3SJohn MarinoVersion 2.1: May, 1997 (cjm) 375*86d7f5d3SJohn Marino - Continuing rework to the aliasing lookup engine to support 376*86d7f5d3SJohn Marino multiple incoming addresses and static NAT. 377*86d7f5d3SJohn Marino - Now supports outgoing as well as incoming ICMP error messages/ 378*86d7f5d3SJohn Marino - PPP commands to support address and port redirection. 379*86d7f5d3SJohn Marino 380