> Easy ?! I'm not so sure. But has anyone built such a beast ?
Well sort of - I have a bridge running at home that has been used for PofP
experiments so I know it can be done but is not something I would want
to hand to a user or even an administrator.
The principle is simple: firewalls receive packets but instead of just
translating to the internal protocols, examine the packet for type,
source, and destination (these being bytes at specific offesets in the
header). Since the information is already in a buffer, it is simple
add logic to change the source or destination to "something else" since
it is just a matter of byte for byte replacement.
Now if there were a direct map that could be used (for example if the
internal network used a class B addressing as was mentioned but the
set was logic mappable, this would be trivial. If not, translation tables
would be necessary.
An example: Consider a system that used the internal address 188.8.131.52
(class B) but had an registered class C address of 257.10.20.x then
translation of 184.108.40.206 to 2220.127.116.11 would be a simple logic sieve. Of
course if you have more than 254 nodes requiring access this would require
something more imaginative (and/or multiple Class Cs).
If simple mapping were not used, then a more complex algorithm would
be necessary with table mapping the Last Resort (_Total Recall_).
But the important element is that the firewall already has the information,
is fixed length, knows where it is, and modification is easy (could even
use COBOL - is good at modifying precisely located fixed length records 8*).