On Sun, 28 Jun 2020 18:46:03 +0200, "R.Wieser" 
declaimed the following:


>I must say I do not quite understand that.   I mean, how hard is it to
>imagine a RPi which reads datablocks from one TCP/IP interface and writes it
>to the other one (and vise-verse) - and as a result dropping all IP and port
>info from either side.   That doesn't really sound like rocket-science, now
>does it ?

 As described, you have an ACTIVE PROCESS running on the R-Pi. Since the
TCP/IP interface uses source IP:port/destination IP:port (where destination
is the R-Pi) to define a connection, your active process will have to
maintain a table mapping the source:R-Pi connections to
R-Pi:other-destination. That is what a NAT router is performing! And, below
IP/port -- packets are routed by MAC address (the hardware address of
interface itself -- one interface can have multiple IP numbers assigned to
it, each of which can have many ports active)

 If you are trying to sanitize the data "dropping IP/port" you are now
looking at the aforementioned "data diode" operation. Those are designed so
that only certain packets are allowed through, and often use fiber optics
between the two sides to ensure that there is NO wired connection (some may
also be unidirectional -- data from the secure side is sanitized (some can
actually edit out parts of the packet if the packet format is set up) and
sent out on the unsecured side, but the unsecured side can not send data to
the secure side.


 Your original post implied the R-Pi would be a more passive device. One
side would dump a file to (a directory on an R-Pi storage device --
recommend USB drive if this is busy system, to avoid SD card failure), At
some later time the other side would retrieve the file from the R-Pi.

 THAT form of operation is easily done using FTP (deprecated in the wild
as the log-on information is sent in the clear) or sFTP (which is already
running on an R-Pi if you have SSH enabled).

 On the R-Pi, create a set of users/passwords (at minimum, one for each
side, at most one per external machine). Set these users for very minimal
privileges -- basically put them in a "post office group" and set the
storage directories to be RW for users in this "post office group". Also
set the home directory for those users to the top of the post office
directory tree.

 Source host can sFTP using its login credentials, PUT the data file.
Destination host, at some later time will sFTP with its credentials at some
later time, check for new files, GET those files, and then DELETE the
files.
>
>Regards,
>Rudy Wieser
>


--
 Wulfraed                 Dennis Lee Bieber         AF6VN
 wlfraed@ix.netcom.com    http://wlfraed.microdiversity.freeddns.org/

--- SoupGate-Win32 v1.05