From owner-freebsd-questions Sun Dec 10 14:28:15 2000 From owner-freebsd-questions@FreeBSD.ORG Sun Dec 10 14:28:01 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from satan.freebsdsystems.com (satan.freebsdsystems.com [24.69.168.5]) by hub.freebsd.org (Postfix) with ESMTP id 8921A37B400 for ; Sun, 10 Dec 2000 14:27:59 -0800 (PST) Received: (from lnb@localhost) by satan.freebsdsystems.com (8.11.1/8.11.0) id eBAMRsv74134; Sun, 10 Dec 2000 17:27:54 -0500 (EST) Date: Sun, 10 Dec 2000 17:27:54 -0500 From: Lanny Baron To: Nash Cc: questions@FreeBSD.ORG Subject: Re: natd Message-ID: <20001210172754.D73046@satan.freebsdsystems.com> References: <000a01c062f6$e3066d60$026fa8c0@nash.hemmet.chalmers.se> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="udcq9yAoWb9A4FsZ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000a01c062f6$e3066d60$026fa8c0@nash.hemmet.chalmers.se>; from nash@home.se on Sun, Dec 10, 2000 at 11:16:47PM +0100 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --udcq9yAoWb9A4FsZ Content-Type: multipart/mixed; boundary="KlAEzMkarCnErv5Q" Content-Disposition: inline --KlAEzMkarCnErv5Q Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Nash, I have included the natd man page. I hope it helps. I used to use natd but = have not in some time.=20 Regards, Lanny On Sun, Dec 10, 2000 at 11:16:47PM +0100, Nash wrote: > Hi, >=20 > I wonder if someone can please tell me, who or what group it is that mana= ges the "natd" deamons problems. I've been having a problem with my server,= that I just can't seem to get rid of. >=20 > Thank you beforehand, > Nash/ --KlAEzMkarCnErv5Q Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="natd.txt" Content-Transfer-Encoding: quoted-printable NATD(8) FreeBSD System Manager's Manual NATD(8) N=08NA=08AM=08ME=08E n=08na=08at=08td=08d - Network Address Translation Daemon S=08SY=08YN=08NO=08OP=08PS=08SI=08IS=08S n=08na=08at=08td=08d [-=08-u=08un=08nr=08re=08eg=08gi=08is=08st=08te= =08er=08re=08ed=08d_=08_o=08on=08nl=08ly=08y | -=08-u=08u] [-=08-l=08lo=08o= g=08g | -=08-l=08l] [-=08-p=08pr=08ro=08ox=08xy=08y_=08_o=08on=08nl=08ly=08= y] [-=08-r=08re=08ev=08ve=08er=08rs=08se=08e] [-=08-d=08de=08en=08ny=08y_=08_i=08in=08nc=08co=08om=08mi=08in=08ng=08g = | -=08-d=08d] [-=08-u=08us=08se=08e_=08_s=08so=08oc=08ck=08ke=08et=08ts=08s= | -=08-s=08s] [-=08-s=08sa=08am=08me=08e_=08_p=08po=08or=08rt=08ts=08s | -= =08-m=08m] [-=08-v=08ve=08er=08rb=08bo=08os=08se=08e | -=08-v=08v] [-=08-d=08dy=08y= n=08na=08am=08mi=08ic=08c] [-=08-i=08in=08n_=08_p=08po=08or=08rt=08t | -=08= -i=08i _=08p_=08o_=08r_=08t] [-=08-o=08ou=08ut=08t_=08_p=08po=08or=08rt=08t= | -=08-o=08o _=08p_=08o_=08r_=08t] [-=08-p=08po=08or=08rt=08t | -=08-p=08p _=08p_=08o= _=08r_=08t] [-=08-a=08al=08li=08ia=08as=08s_=08_a=08ad=08dd=08dr=08re=08es= =08ss=08s | -=08-a=08a _=08a_=08d_=08d_=08r_=08e_=08s_=08s] [-=08-t=08ta=08ar=08rg=08ge=08et=08t_=08_a=08ad=08dd=08dr=08re=08es=08ss= =08s | -=08-t=08t _=08a_=08d_=08d_=08r_=08e_=08s_=08s] [-=08-i=08in=08nt=08= te=08er=08rf=08fa=08ac=08ce=08e | -=08-n=08n _=08i_=08n_=08t_=08e_=08r_=08f= _=08a_=08c_=08e] [-=08-p=08pr=08ro=08ox=08xy=08y_=08_r=08ru=08ul=08le=08e _=08p_=08r_=08o= _=08x_=08y_=08s_=08p_=08e_=08c] [-=08-r=08re=08ed=08di=08ir=08re=08ec=08ct= =08t_=08_p=08po=08or=08rt=08t _=08l_=08i_=08n_=08k_=08s_=08p_=08e_=08c] [-= =08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_p=08pr=08ro=08ot=08to=08o _=08l_=08i_=08n_=08k_=08s_=08p_=08e_=08c] [-=08-r=08re=08ed=08di=08ir=08= re=08ec=08ct=08t_=08_a=08ad=08dd=08dr=08re=08es=08ss=08s _=08l_=08i_=08n_= =08k_=08s_=08p_=08e_=08c] [-=08-c=08co=08on=08nf=08fi=08ig=08g | -=08-f=08f= _=08c_=08o_=08n_=08f_=08i_=08g_=08f_=08i_=08l_=08e] [-=08-l=08lo=08og=08g_=08_d=08de=08en=08ni=08ie=08ed=08d] [-=08-l=08lo= =08og=08g_=08_f=08fa=08ac=08ci=08il=08li=08it=08ty=08y _=08f_=08a_=08c_=08i= _=08l_=08i_=08t_=08y_=08__=08n_=08a_=08m_=08e] [-=08-p=08pu=08un=08nc=08ch= =08h_=08_f=08fw=08w _=08f_=08i_=08r_=08e_=08w_=08a_=08l_=08l_=08__=08r_=08a_=08n_=08g_=08e] D=08DE=08ES=08SC=08CR=08RI=08IP=08PT=08TI=08IO=08ON=08N This program provides a Network Address Translation facility for use w= ith divert(4) sockets under FreeBSD. It is intended for use with NICs - if you want to do NAT on a PPP link, use the -=08-n=08na=08at=08t switch = to ppp(8). The n=08na=08at=08td=08d normally runs in the background as a daemon. = It is passed raw IP packets as they travel into and out of the machine, and will possib= ly change these before re-injecting them back into the IP packet stream. It changes all packets destined for another host so that their source = IP number is that of the current machine. For each packet changed in this manner, an internal table entry is created to record this fact. The source port number is also changed to indicate the table entry applying to the packet. Packets that are received with a target IP of the curr= ent host are checked against this internal table. If an entry is found, it is used to determine the correct target IP number and port to place in the packet. The following command line options are available. -=08-l=08lo=08og=08g | -=08-l=08l Log various aliasing statistics and= information to the file _=08/_=08v_=08a_=08r_=08/_=08l_=08o_=08g_=08/_=08a_=08l_=08i_=08a_=08s_= =08._=08l_=08o_=08g. This file is truncated each time n=08na=08at=08td=08d = is started. -=08-d=08de=08en=08ny=08y_=08_i=08in=08nc=08co=08om=08mi=08in=08ng=08g= | -=08-d=08d Do not pass packets destined for the current IP number that have no entry in the internal translation table. -=08-l=08lo=08og=08g_=08_d=08de=08en=08ni=08ie=08ed=08d Log denied incoming packets via syslog(3) (see also -=08-l=08lo=08og=08g_=08_f=08fa=08ac=08ci=08il=08li=08it=08ty=08y). -=08-l=08lo=08og=08g_=08_f=08fa=08ac=08ci=08il=08li=08it=08ty=08y _=08= f_=08a_=08c_=08i_=08l_=08i_=08t_=08y_=08__=08n_=08a_=08m_=08e Use specified log facility when logging information via syslog(3). Argument _=08f_=08a_=08c_=08i_=08l_=08i_=08t_=08y_=08__=08n_= =08a_=08m_=08e is one of the keywords specified in syslog.conf(5). -=08-u=08us=08se=08e_=08_s=08so=08oc=08ck=08ke=08et=08ts=08s | -=08-s= =08s Allocate a socket(2) in order to establish an FTP data or IRC DCC send connection. This option uses more system resources, but guarantees successful connections when port numbers con- flict. -=08-s=08sa=08am=08me=08e_=08_p=08po=08or=08rt=08ts=08s | -=08-m=08m Try to keep the same port number when altering outgoing pack- ets. With this option, protocols such as RPC will have a better chance of working. If it is not possible to maintain the port number, it will be silently changed as per normal. -=08-v=08ve=08er=08rb=08bo=08os=08se=08e | -=08-v=08v Do not call daemon(3) on startup. Instead, stay attached to the controling terminal and display all packet alterations to the standard output. This option should only be used for de- bugging purposes. -=08-u=08un=08nr=08re=08eg=08gi=08is=08st=08te=08er=08re=08ed=08d_=08_= o=08on=08nl=08ly=08y | -=08-u=08u Only alter outgoing packets with an _=08u_=08n_=08r_=08e_=08g_=08i_=08s_= =08t_=08e_=08r_=08e_=08d source ad- dress. According to RFC 1918, unregistered source addresses are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. -=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_p=08po=08or=08rt=08t= _=08p_=08r_=08o_=08t_=08o _=08t_=08a_=08r_=08g_=08e_=08t_=08I_=08P:_=08t_= =08a_=08r_=08g_=08e_=08t_=08P_=08O_=08R_=08T[-_=08t_=08a_=08r_=08g_=08e_=08= t_=08P_=08O_=08R_=08T] [_=08a_=08l_=08i_=08a_=08s_=08I_=08P:]_=08a_=08l_=08i_=08a_=08s_=08P_=08= O_=08R_=08T[-_=08a_=08l_=08i_=08a_=08s_=08P_=08O_=08R_=08T] [_=08r_=08e_=08m_=08o_=08t_=08e_=08I_=08P[:_=08r_=08e_=08m_=08o_=08t_=08= e_=08P_=08O_=08R_=08T[-_=08r_=08e_=08m_=08o_=08t_=08e_=08P_=08O_=08R_=08T]]] Redirect incoming connections arriving to given port(s) to another host and port(s). Argument _=08p_=08r_=08o_=08t_=08o is either = _=08t_=08c_=08p or _=08u_=08d_=08p, _=08t_=08a_=08r_=08g_=08e_=08t_=08I_=08P is the desired= target IP number, _=08t_=08a_=08r_=08g_=08e_=08t_=08P_=08O_=08R_=08T is the desired target port number or range, _=08a_=08l_=08i_=08a_=08s_=08P_= =08O_=08R_=08T is the re- quested port number or range, and _=08a_=08l_=08i_=08a_=08s_=08I_=08P is= the aliasing ad- dress. Arguments _=08r_=08e_=08m_=08o_=08t_=08e_=08I_=08P and _=08r_=08= e_=08m_=08o_=08t_=08e_=08P_=08O_=08R_=08T can be used to specify the connection more accurately if necessary. The _=08t_=08a_=08r_=08g_=08e_=08t_=08P_=08O_=08R_=08T range and _=08a_=08l_= =08i_=08a_=08s_=08P_=08O_=08R_=08T range need not be the same nu- merically, but must have the same size. If _=08r_=08e_=08m_=08o_=08t_= =08e_=08P_=08O_=08R_=08T is not specified, it is assumed to be all ports. If _=08r_=08e_=08m_=08o_=08t_= =08e_=08P_=08O_=08R_=08T is specified, it must match the size of _=08t_=08a_=08r_=08g_=08e_=08t_=08P= _=08O_=08R_=08T, or be 0 (all ports). For example, the argument _=08t_=08c_=08p _=08i_=08n_=08s_=08i_=08d_=08e_=081_=08:_=08t_=08e= _=08l_=08n_=08e_=08t _=086_=086_=086_=086 means that incoming TCP packets destined for port 6666 on this machine will be sent to the telnet port on the inside1 machine. _=08t_=08c_=08p _=08i_=08n_=08s_=08i_=08d_=08e_=082_=08:_=082_=083= _=080_=080_=08-_=082_=083_=089_=089 _=083_=083_=080_=080_=08-_=083_=083_=08= 9_=089 will redirect incoming connections on ports 3300-3399 to host inside2, ports 2300-2399. The mapping is 1:1 meaning port 3300 maps to 2300, 3301 maps to 2301, etc. -=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_p=08pr=08ro=08ot=08t= o=08o _=08p_=08r_=08o_=08t_=08o _=08l_=08o_=08c_=08a_=08l_=08I_=08P [_=08p_= =08u_=08b_=08l_=08i_=08c_=08I_=08P [_=08r_=08e_=08m_=08o_=08t_=08e_=08I_=08= P]] Redirect incoming IP packets of protocol _=08p_=08r_=08o_=08t_=08o (see protocols(5)) destined for _=08p_=08u_=08b_=08l_=08i_=08c_=08I_=08P addr= ess to a _=08l_=08o_=08c_=08a_=08l_=08I_=08P ad- dress and vice versa. If _=08p_=08u_=08b_=08l_=08i_=08c_=08I_=08P is not specified, then the d= efault aliasing ad- dress is used. If _=08r_=08e_=08m_=08o_=08t_=08e_=08I_=08P is specified= , then only packets coming from/to _=08r_=08e_=08m_=08o_=08t_=08e_=08I_=08P will match the r= ule. -=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_a=08ad=08dd=08dr=08r= e=08es=08ss=08s _=08l_=08o_=08c_=08a_=08l_=08I_=08P _=08p_=08u_=08b_=08l_= =08i_=08c_=08I_=08P Redirect traffic for public IP address to a machine on the local network. This function is known as _=08s_=08t_=08a_=08t_=08i_=08c= _=08N_=08A_=08T. Normal- ly static NAT is useful if your ISP has allocated a small block of IP addresses to you, but it can even be used in the case of single address: _=08r_=08e_=08d_=08i_=08r_=08e_=08c_=08t_=08__=08a_=08d_=08d_=08r_= =08e_=08s_=08s _=081_=080_=08._=080_=08._=080_=08._=088 _=080_=08._=080_=08= ._=080_=08._=080 The above command would redirect all incoming traffic to ma- chine 10.0.0.8. If several address aliases specify the same public address as follows _=08r_=08e_=08d_=08i_=08r_=08e_=08c_=08t_=08__=08a_=08d_=08d_=08r_= =08e_=08s_=08s _=081_=089_=082_=08._=081_=086_=088_=08._=080_=08._=082 _=08= p_=08u_=08b_=08l_=08i_=08c_=08__=08a_=08d_=08d_=08r _=08r_=08e_=08d_=08i_=08r_=08e_=08c_=08t_=08__=08a_=08d_=08d_=08r_= =08e_=08s_=08s _=081_=089_=082_=08._=081_=086_=088_=08._=080_=08._=083 _=08= p_=08u_=08b_=08l_=08i_=08c_=08__=08a_=08d_=08d_=08r _=08r_=08e_=08d_=08i_=08r_=08e_=08c_=08t_=08__=08a_=08d_=08d_=08r_= =08e_=08s_=08s _=081_=089_=082_=08._=081_=086_=088_=08._=080_=08._=084 _=08= p_=08u_=08b_=08l_=08i_=08c_=08__=08a_=08d_=08d_=08r the incoming traffic will be directed to the last translated local address (192.168.0.4), but outgoing traffic from the first two addresses will still be aliased to appear from the specified _=08p_=08u_=08b_=08l_=08i_=08c_=08__=08a_=08d_=08d_=08r. -=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_p=08po=08or=08rt=08t= _=08p_=08r_=08o_=08t_=08o _=08t_=08a_=08r_=08g_=08e_=08t_=08I_=08P:_=08t_= =08a_=08r_=08g_=08e_=08t_=08P_=08O_=08R_=08T[,_=08t_=08a_=08r_=08g_=08e_=08= t_=08I_=08P:_=08t_=08a_=08r_=08g_=08e_=08t_=08P_=08O_=08R_=08T[,_=08._=08._= =08.]] [_=08a_=08l_=08i_=08a_=08s_=08I_=08P:]_=08a_=08l_=08i_=08a_=08s_=08P_=08= O_=08R_=08T [_=08r_=08e_=08m_=08o_=08t_=08e_=08I_=08P[:_=08r_=08e_=08m_=08o= _=08t_=08e_=08P_=08O_=08R_=08T]] -=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_a=08ad=08dd=08dr=08r= e=08es=08ss=08s _=08l_=08o_=08c_=08a_=08l_=08I_=08P[,_=08l_=08o_=08c_=08a_= =08l_=08I_=08P[,_=08._=08._=08.]] _=08p_=08u_=08b_=08l_=08i_=08c_=08I_=08P These forms of -=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_p=08po= =08or=08rt=08t and -=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_a=08ad= =08dd=08dr=08re=08es=08ss=08s are used to transparently offload network load on a single server and distribute the load across a pool of servers. This function is known as _=08L_=08S_=08N_=08A_=08T (RFC 2391). For example, the argum= ent _=08t_=08c_=08p _=08w_=08w_=08w_=081_=08:_=08h_=08t_=08t_=08p_=08,= _=08w_=08w_=08w_=082_=08:_=08h_=08t_=08t_=08p_=08,_=08w_=08w_=08w_=083_=08:= _=08h_=08t_=08t_=08p _=08w_=08w_=08w_=08:_=08h_=08t_=08t_=08p means that incoming HTTP requests for host www will be trans- parently redirected to one of the www1, www2 or www3, where a host is selected simply on a round-robin basis, without re- gard to load on the net. -=08-d=08dy=08yn=08na=08am=08mi=08ic=08c If the -=08-n=08n or -=08-i= =08in=08nt=08te=08er=08rf=08fa=08ac=08ce=08e option is used, n=08na=08at=08= td=08d will monitor the routing socket for alterations to the _=08i_=08n_=08t_=08e_=08r_=08f_=08= a_=08c_=08e passed. If the interface's IP number is changed, n=08na=08at=08td=08d will dynamica= lly alter its concept of the alias address. -=08-i=08in=08n_=08_p=08po=08or=08rt=08t | -=08-i=08i _=08p_=08o_=08r_= =08t Read from and write to _=08p_=08o_=08r_=08t, treating all packets as pac= kets coming into the machine. -=08-o=08ou=08ut=08t_=08_p=08po=08or=08rt=08t | -=08-o=08o _=08p_=08o_= =08r_=08t Read from and write to _=08p_=08o_=08r_=08t, treating all packets as pac= kets going out of the machine. -=08-p=08po=08or=08rt=08t | -=08-p=08p _=08p_=08o_=08r_=08t Read from and write to _=08p_=08o_=08r_=08t, distinguishing packets as i= ncom- ing our outgoing using the rules specified in divert(4). If _=08p_=08o_=08r_=08t is not numeric, it is searched for in the services(= 5) database. If this option is not specified, the divert port named _=08n_=08a_=08t_=08d will be used as a default. -=08-a=08al=08li=08ia=08as=08s_=08_a=08ad=08dd=08dr=08re=08es=08ss=08s= | -=08-a=08a _=08a_=08d_=08d_=08r_=08e_=08s_=08s Use _=08a_=08d_=08d_=08r_=08e_=08s_=08s as the aliasing address. If thi= s option is not specified, the -=08-i=08in=08nt=08te=08er=08rf=08fa=08ac=08ce=08e option= must be used. The specified address is usually the address assigned to the public network interface. All data passing _=08o_=08u_=08t will be rewritten with a source address equal to _=08a_=08d_=08d_=08r_=08e_=08s_=08s. All data coming _=08i_=08n= will be checked to see if it matches any already-aliased outgoing connection. If it does, the packet is altered accordingly. If not, all -=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_p=08po=08or=08rt=08t, = -=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_p=08pr=08ro=08ot=08to=08o= and -=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_a=08ad=08dd=08dr=08r= e=08es=08ss=08s assign- ments are checked and actioned. If no other action can be made and if -=08-d=08de=08en=08ny=08y_=08_i=08in=08nc=08co=08om=08mi=08i= n=08ng=08g is not specified, the packet is delivered unaltered to the local machine and port as speci- fied in the packet, but see the -=08-t=08ta=08ar=08rg=08ge=08et=08t_=08_= a=08ad=08dd=08dr=08re=08es=08ss=08s option below. -=08-t=08t | -=08-t=08ta=08ar=08rg=08ge=08et=08t_=08_a=08ad=08dd=08dr= =08re=08es=08ss=08s _=08a_=08d_=08d_=08r_=08e_=08s_=08s Set the target address. When an incoming packet not associ- ated with any pre-existing link arrives at the host machine, it will be sent to the specified _=08a_=08d_=08d_=08r_=08e_=08s_=08s. The target address may be set to _=082_=085_=085_=08._=082_=085_=085_=08= ._=082_=085_=085_=08._=082_=085_=085, in which case all new incoming packets go to the alias address set by -=08-a=08al=08li=08ia=08as=08s_=08_a=08ad=08dd=08dr=08re=08es=08ss=08s o= r -=08-i=08in=08nt=08te=08er=08rf=08fa=08ac=08ce=08e. If this option is not used, or called with the argument _=080_=08._=080_=08._=080_=08._=080, then all new incoming packets go to= the address specified in the packet. This allows external machines to talk directly to internal machines if they can route packets to the machine in question. -=08-i=08in=08nt=08te=08er=08rf=08fa=08ac=08ce=08e | -=08-n=08n _=08i_= =08n_=08t_=08e_=08r_=08f_=08a_=08c_=08e Use _=08i_=08n_=08t_=08e_=08r_=08f_=08a_=08c_=08e to determine the alias= ing address. If there is a possibility that the IP number associated with _=08i_=08n_=08t_=08e_= =08r_=08f_=08a_=08c_=08e may change, the -=08-d=08dy=08yn=08na=08am=08mi=08ic=08c option should a= lso be used. If this option is not specified, the -=08-a=08al=08li=08ia=08as=08s_=08_a=08ad= =08dd=08dr=08re=08es=08ss=08s option must be used. The specified _=08i_=08n_=08t_=08e_=08r_=08f_=08a_=08c_=08e is usually t= he public network inter- face. -=08-c=08co=08on=08nf=08fi=08ig=08g | -=08-f=08f _=08f_=08i_=08l_=08e Read configuration from _=08f_=08i_=08l_=08e. A _=08f_=08i_=08l_=08e sho= uld contain a list of options, one per line, in the same form as the long form of the above command line options. For example, the line alias_address 158.152.17.1 would specify an alias address of 158.152.17.1. Options that do not take an argument are specified with an option of _=08y_=08e_=08s or _=08n_=08o in the configuration file. For example, the line log yes is synonymous with -=08-l=08lo=08og=08g. Trailing spaces and empty lines are ignored. A `#' sign will mark the rest of the line as a comment. -=08-r=08re=08ev=08ve=08er=08rs=08se=08e This option makes n=08na=08a= t=08td=08d reverse the way it handles incoming and outgoing packets, allowing it to operate on the internal interface rather than the external one. This can be useful in some transparent proxying situations when outgoing traffic is redirected to the local machine and n=08na=08at=08td=08d is running on the internal interface (it usually ru= ns on the external interface). -=08-p=08pr=08ro=08ox=08xy=08y_=08_o=08on=08nl=08ly=08y Force n=08na=08at=08td=08d to perform transparent proxying only. Normal= ad- dress translation is not performed. -=08-p=08pr=08ro=08ox=08xy=08y_=08_r=08ru=08ul=08le=08e [_=08t_=08y_= =08p_=08e _=08e_=08n_=08c_=08o_=08d_=08e_=08__=08i_=08p_=08__=08h_=08d_=08r= | _=08e_=08n_=08c_=08o_=08d_=08e_=08__=08t_=08c_=08p_=08__=08s_=08t_=08r_= =08e_=08a_=08m] _=08p_=08o_=08r_=08t _=08x_=08x_=08x_=08x _=08s_=08e_=08r_= =08v_=08e_=08r _=08a_=08._=08b_=08._=08c_=08._=08d_=08:_=08y_=08y_=08y_=08y Enable transparent proxying. Outgoing TCP packets with the given port going through this host to any other host are redirected to the given server and port. Optionally, the original target address can be encoded into the packet. Use _=08e_=08n_=08c_=08o_=08d_=08e_=08__=08i_=08p_=08__=08h_=08d_=08r to put= this information into the IP option field or _=08e_=08n_=08c_=08o_=08d_=08e_=08__=08t_=08c_=08p_=08__=08s_= =08t_=08r_=08e_=08a_=08m to inject the data into the begin- ning of the TCP stream. -=08-p=08pu=08un=08nc=08ch=08h_=08_f=08fw=08w _=08b_=08a_=08s_=08e_=08= n_=08u_=08m_=08b_=08e_=08r:_=08c_=08o_=08u_=08n_=08t This option directs n=08na=08at=08td=08d to ``punch holes'' in an ipfire- wall(4) based firewall for FTP/IRC DCC connections. This is done dynamically by installing temporary firewall rules which allow a particular connection (and only that connection) to go through the firewall. The rules are removed once the cor- responding connection terminates. A maximum of _=08c_=08o_=08u_=08n_=08t rules starting from the rule numb= er _=08b_=08a_=08s_=08e_=08n_=08u_=08m_=08b_=08e_=08r will be used for punc= hing firewall holes. The range will be cleared for all rules on startup. R=08RU=08UN=08NN=08NI=08IN=08NG=08G N=08NA=08AT=08TD=08D The following steps are necessary before attempting to run n=08na=08at= =08td=08d: 1. Build a custom kernel with the following options: options IPFIREWALL options IPDIVERT Refer to the handbook for detailed instructions on building a custom kernel. 2. Ensure that your machine is acting as a gateway. This can be done by specifying the line gateway_enable=3DYES in the _=08/_=08e_=08t_=08c_=08/_=08r_=08c_=08._=08c_=08o_=08n_=08f file= or using the command sysctl -w net.inet.ip.forwarding=3D1 3. If you use the -=08-i=08in=08nt=08te=08er=08rf=08fa=08ac=08ce=08e= option, make sure that your interface is already configured. If, for example, you wish to specify tun0 as your _=08i_=08n_=08t_=08e_=08r_=08f_=08a_=08c_=08e, and you are using pp= p(8) on that interface, you must make sure that you start p=08pp=08pp=08p prior to starting n=08na=08at= =08td=08d. Running n=08na=08at=08td=08d is fairly straight forward. The line natd -interface ed0 should suffice in most cases (substituting the correct interface name). Please check rc.conf(5) on how to configure it to be started automatic= al- ly during boot. Once n=08na=08at=08td=08d is running, you must ensure= that traffic is diverted to n=08na=08at=08td=08d: 1. You will need to adjust the _=08/_=08e_=08t_=08c_=08/_=08r_=08c_= =08._=08f_=08i_=08r_=08e_=08w_=08a_=08l_=08l script to taste. If you are not interested in having a firewall, the following lines will do: /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via ed0 /sbin/ipfw add pass all from any to any The second line depends on your interface (change ed0 as appropri- ate). You should be aware of the fact that, with these firewall settings, everyone on your local network can fake his source-address using your host as gateway. If there are other hosts on your local net- work, you are strongly encouraged to create firewall rules that only allow traffic to and from trusted hosts. If you specify real firewall rules, it is best to specify line 2 at the start of the script so that n=08na=08at=08td=08d sees all packets be= fore they are dropped by the firewall. After translation by n=08na=08at=08td=08d, packets re-enter the firewall= at the rule number following the rule number that caused the diversion (not the next rule if there are several at the same number). 2. Enable your firewall by setting firewall_enable=3DYES in _=08/_=08e_=08t_=08c_=08/_=08r_=08c_=08._=08c_=08o_=08n_=08f. This te= lls the system startup scripts to run the _=08/_=08e_=08t_=08c_=08/_=08r_=08c_=08._=08f_=08i_=08r_=08e_=08w_=08a_= =08l_=08l script. If you do not wish to reboot now, just run this by hand from the console. NEVER run this from a remote session unless you put it into the background. If you do, you will lock yourself out after the flush takes place, and execution of _=08/_=08e_=08t_=08c_=08/_=08r_=08c_=08._=08f_=08i_=08r_=08e_=08w_=08a_= =08l_=08l will stop at this point - blocking all accesses permanently. Running the script in the background should be enough to prevent this disaster. S=08SE=08EE=08E A=08AL=08LS=08SO=08O divert(4), protocols(5), rc.conf(5), services(5), syslog.conf(5), ipfw(8), ppp(8). A=08AU=08UT=08TH=08HO=08OR=08RS=08S This program is the result of the efforts of many people at different times: Archie Cobbs (divert sockets) Charles Mott (packet aliasing) Eivind Eklund (IRC support & misc additions) Ari Suutari (natd) Dru Nelson (early PPTP support) Brian Somers (glue) FreeBSD June 27, 2000 6 --KlAEzMkarCnErv5Q-- --udcq9yAoWb9A4FsZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjo0A2oACgkQixS5xnIdd5c6eACeI85YCCAu5ail/GSi99duQ2YV evAAoIZFZLQ2Qx7/EMLcoJLIIKS52wdj =2itj -----END PGP SIGNATURE----- --udcq9yAoWb9A4FsZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message