From owner-freebsd-questions@FreeBSD.ORG Fri Jul 15 18:18:58 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03AAD16A41C for ; Fri, 15 Jul 2005 18:18:58 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C6BE43D46 for ; Fri, 15 Jul 2005 18:18:57 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id 128BB5EE7 for ; Fri, 15 Jul 2005 14:18:57 -0400 (EDT) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 37140-05 for ; Fri, 15 Jul 2005 14:18:47 -0400 (EDT) Received: from [192.168.1.3] (pool-68-161-54-113.ny325.east.verizon.net [68.161.54.113]) by pi.codefab.com (Postfix) with ESMTP id 274F25D1A for ; Fri, 15 Jul 2005 14:18:45 -0400 (EDT) Message-ID: <42D7FE08.4000902@mac.com> Date: Fri, 15 Jul 2005 14:18:48 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Subject: IPFW+natd & Cisco VPN tunnelling.... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Jul 2005 18:18:58 -0000 Hi, all-- I'm working on a new firewall running FreeBSD-5.4, IPFW, and natd for a small client network of about 50 boxes, using a single routable IP via a T1 link. They want to set up a Cisco 87x router as a VPN endpoint, my part is to set up forwarding of the VPN traffic via the firewall to this cisco. The firewall box is a Dell 2850 with dual Intel em NICs. Since I'm waiting for someone else to get that box up, I decided to check here whether my config is sane. I'm using a normal divert rule to forward traffic to natd, which is working fine, and have this as /etc/natd.conf: # NATD configuration options dynamic yes interface em1 #log yes log_denied yes use_sockets yes same_ports yes unregistered_only yes redirect_port tcp 192.168.1.2:www www redirect_proto gre ciscovpn redirect_port udp ciscovpn:500 500 redirect_port tcp ciscovpn:10000 10000 redirect_port tcp ciscovpn:pptp pptp ...where ciscovpn is obviously the hostname for the Cisco 870 box. Is there any way to convince natd to re-read the natd.conf file short of killing and restarting the daemon entirely? The manpage didn't say so, and "kill -HUP" terminates the process. -- -Chuck PS: It seems unfortunate that not including a natd_interface statement in rc.conf causes /etc/rc.firewall to not include a divert rule, but that can be corrected by using your own rules in a file and setting firewall_type.