From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 30 12:59:09 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 165A916A4CE for ; Tue, 30 Mar 2004 12:59:09 -0800 (PST) Received: from parati.mdbrasil.com.br (parati.mdbrasil.com.br [200.210.70.4]) by mx1.FreeBSD.org (Postfix) with SMTP id D591C43D31 for ; Tue, 30 Mar 2004 12:59:07 -0800 (PST) (envelope-from eksffa@freebsdbrasil.com.br) Received: (qmail 15212 invoked by uid 1014); 30 Mar 2004 20:59:33 -0000 Received: from eksffa@freebsdbrasil.com.br by parati.mdbrasil.com.br by uid 82 with qmail-scanner-1.20 Clear:RC:1(200.251.184.194):. Processed in 0.103477 secs); 30 Mar 2004 20:59:33 -0000 Received: from unknown (HELO freebsdbrasil.com.br) (200.251.184.194) by parati.mdbrasil.com.br with SMTP; 30 Mar 2004 17:59:32 -0300 Message-ID: <4069DF8E.1000002@freebsdbrasil.com.br> Date: Tue, 30 Mar 2004 17:58:54 -0300 From: Patrick Tracanelli Organization: FreeBSD Brasil LTDA User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3.1) Gecko/20030524 X-Accept-Language: en-us, en MIME-Version: 1.0 To: UNAp References: <001d01c4166f$aa3f1ba0$74e1a4d5@pccore> In-Reply-To: <001d01c4166f$aa3f1ba0$74e1a4d5@pccore> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: ipfw@freebsd.org Subject: Re: NAT for one, or more IP X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Mar 2004 20:59:09 -0000 Divert the incoming packets from your network to the registered IP you want to translate your unregistered network to, and on the other hand, divert the outgoing packets from your network to any destination (or non-public one, say the internet). 01200 69 30884 divert 8668 ip from any to 200.40.30.77 in 01300 81718 15592449 divert 8668 ip from 192.168.2.0/28 to any out You may create this kind of rules for both, network and hosts, or even a set of hosts/networks (say, with an or-block); You may even FWD packets in such a way where ipfw would act like a "next-hop" router, and set up policy-routing based on source/destination and services (ports). Here, we have some set of rules that [skip] 00300 6116 7935516 divert 8668 ip from any to 200.30.40.67 in 00400 21832 20430068 divert 8668 ip from any to 200.30.40.68 in 00500 20382 20217368 divert 8668 ip from any to 200.30.40.69 in [skip] 01300 81718 15592449 divert 8668 ip from 192.168.2.0/28 to any out 01400 3959 258874 fwd 200.30.40.65 ip from 200.30.40.67 to any 01500 20052 6124430 fwd 200.30.40.65 ip from 200.30.40.68 to any 01600 18071 2967705 fwd 200.30.40.65 ip from 200.30.40.69 to any [skip] 02300 62364 7935516 divert 8669 ip from any to 200.30.40.195 in 02400 97345 20430068 divert 8669 ip from any to 200.30.40.196 in 02500 75345 20217368 divert 8669 ip from any to 200.30.40.197 in [skip] 03300 817181 15592449 divert 8669 ip from 10.0.2.0/24 to any out 03400 3793 258874 fwd 200.30.40.193 ip from 200.30.40.195 to any 03500 88034 6124430 fwd 200.30.40.193 ip from 200.30.40.196 to any 03600 9635 2967705 fwd 200.30.40.193 ip from 200.30.40.197 to any [skip] In this specific case it is a multi-homed scenario where each unregister network goes out on different links (gateways) and the default flow goes, obviously, by the default gateway on the system (in this case, they are not unregistered networks, but a third registered network). Nat in this scenario is STATIC (that is why the rules are translated to many different IPs), say: # $ natd2.conf $ Patrick Tracanelli # patrick@freebsdbrasil.com.br # interface fxp0 same_ports yes use_sockets yes punch_fw 00001:99 log_ipfw_denied yes redirect_address 192.168.2.2 200.30.40.67 redirect_address 192.168.2.3 200.30.40.68 redirect_address 192.168.2.4 200.30.40.69 ... [skip] There are 2 natd instances, running on port 8669 and the default one (8668); everything else goes via the default route (the third link) There are other simple examples that may fit your needs better, you might take a look at the following thread: http://www4.fugspbr.org/lista/html/FUG-BR/2004-03/msg00149.html Althought it's in portuguese, the rules are there; -- Atenciosamente, Patrick Tracanelli FreeBSD Brasil LTDA. The FreeBSD pt_BR Documentation Project http://www.freebsdbrasil.com.br patrick @ freebsdbrasil.com.br "Long live Hanin Elias, Kim Deal!"