From owner-freebsd-net Mon Apr 3 2:45: 6 2000 Delivered-To: freebsd-net@freebsd.org Received: from storm.FreeBSD.org.uk (storm.freebsd.org.uk [194.242.139.170]) by hub.freebsd.org (Postfix) with ESMTP id 7F4AF37B6CA for ; Mon, 3 Apr 2000 02:45:02 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (hak.nat.Awfulhak.org [172.31.0.12]) by storm.FreeBSD.org.uk (8.9.3/8.9.3) with ESMTP id KAA34128; Mon, 3 Apr 2000 10:44:52 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (localhost [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id KAA01499; Mon, 3 Apr 2000 10:44:18 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <200004030944.KAA01499@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.1.1 10/15/1999 To: Luigi Rizzo Cc: Brian Somers , Brendan Kosowski , FreeBSD Networking , brian@hak.lan.Awfulhak.org, brian@hak.lan.Awfulhak.org Subject: Re: natd problem In-Reply-To: Message from Luigi Rizzo of "Mon, 03 Apr 2000 10:38:40 +0200." <200004030838.KAA56450@info.iet.unipi.it> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 03 Apr 2000 10:44:18 +0100 From: Brian Somers Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you've got a spare IP number, I prefer this: $fwcmd add 101 divert natd all from 172.16.0.0/12 to any out via fxp0 $fwcmd add 102 divert natd all from any to $natd_interface in via fxp0 Here, natd_interface is my spare IP number (which has been ifconfig'd as an alias on fxp0) and 172.16.0.0/12 is my internal network. All connections going out get the default (first) IP number on fxp0 and natd doesn't even get to see them. You may also want to add $fwcmd add 101 divert natd all from $natd_interface to any out via fxp0 just in case someone wants to use something like datapipe (ports) to specifically make their from address the same as $natd_interface. > > The problem here is that the reply packets are going direct and > > aren't getting de-aliased by natd - natd doesn't even get to see them. > > speaking of this... the usual suggestion for setting NATD is to > config the firewall as > > ipfw -q flush > ipfw add 100 divert natd ip from any to any via $natd_interface > ipfw add 200 allow ip from any to any > > but this puts a lot of load on the machine acting as natd daemon, > as all local traffic is also passed to the daemon where it is not > subject to any translation. > In some cases this is quite a problem e.g. when you put > all sorts of services on the same machine doing natd. > > Does anyone have a more accurate way to pass interesting packets > to the daemon ? > > I could probably come up with something but i'd rather avoid > duplicating work already done. > > cheers > luigi > -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message