Date: Fri, 23 Feb 2001 08:11:24 +0200 From: "Patrick O'Reilly" <patrick@mip.co.za> To: "Peter Brezny" <peter@black.purplecat.net>, <freebsd-net@freebsd.org> Subject: RE: ipfw simple question Message-ID: <NDBBIMKICMDGDMNOOCAIEEEFCDAA.patrick@mip.co.za> In-Reply-To: <Pine.BSF.4.05.10102221800540.8312-100000@black.purplecat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter, I speak under correction - I am a user, not an author, of natd and ipfw. I'm sure that someone will correct me if I'm wrong.... ipfw does not allow you to specify multiple if names for the incoming or outgoing packets, although you can specify both the in- and out- if names in one rule. ipfw does not allow you to specify multiple ip addresses for the from or to ip. The only provision made is to use an ip with a subnet mask, but you are obviously aware of this is your first example uses that syntax (0.0.0.0/8). as for natd: here is the theory I have seen, but I have never tested it myself: The natd_interface entry in rc.conf basically provides a default value for the -interface argument for natd. There is an entry for 'divert' in /etc/services which specifies the default port number to be used for the -port argument for natd. The default value for this is 8668. In your case you should be able to start the natd daemon by simply using the command # natd (this is obviously in your rc scripts already). My understanding is that you should be able to achieve what you want by doing something like this in your rc scripts: ---- oif1=ed1 # your first external interface oif2=ed2 # your second external interface natdport1=8668 # port to use for nat on first interface natdport2=8669 # port to use for nat on second interface natd -port ${natdport1} -interface ${oif1} natd -port ${natdport2} -interface ${oif2} ---- Now you should have two natd daemons running. You need to divert packets correctly using ipfw, so you will need to add two rules something like: ---- oif1=ed1 # your first external interface oif2=ed2 # your second external interface natdport1=8668 # port to use for nat on first interface natdport2=8669 # port to use for nat on second interface $fwcmd add 1 divert ${natdport1} all from any to any via ${oif1} $fwcmd add 1 divert ${natdport2} all from any to any via ${oif2} ---- Please experiment or check this with another real expert before you put this into your production environment! One thing worries me about this - I suspect that if your box routes packets in and out between these two external interfaces it will nat the packets just the same is if the packets were from/to internal interfaces. However, there is an argument for natd called -unregistered_only which will only perform nat on packets where the source address falls within the correct ranges of unregistered addresses specified in RFC1918. If you have been a good boy and used unregistered addresses on your private network then it should be safe (and correct I think) to add the -unregistered_only argument to both of the natd commands above. Please let me know how it goes.... Regards, Patrick O'Reilly --- "I do not feel obliged to believe that the same God who has endowed us with sense, reason, and intellect has intended us to forego their use." -- Galileo Galilei -----Original Message----- From: owner-freebsd-net@FreeBSD.ORG [mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Peter Brezny Sent: 23 February 2001 01:07 To: freebsd-net@FreeBSD.ORG Subject: ipfw simple quesiton Hello, I've just added a second external interface to a machine. I'd like to not have to duplicate all the rules that involve outside interfaces. I've got rules like $fwcmd add deny all from 0.0.0.0/8 to any in via $oif is it possible to specify multiple interfaces for one rule by letting oif= ed0,ed1 ? Similarly, would that work for the ip's of the outside if's? $fwcmd add allow ip from $oip to any keep-state out via $oif oip= 10.10.1.1,10.10.1.2 ? And finally, my rc.conf defines the interface for natd like this: natd_interface="xl0" is it possible to have natd run on both external interfaces without causing problems? how would i configure that? TIA pb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBIMKICMDGDMNOOCAIEEEFCDAA.patrick>