Date: Fri, 30 Jul 1999 14:41:20 +0300 From: Ruslan Ermilov <ru@FreeBSD.org> To: Brian Somers <brian@FreeBSD.org.uk> Cc: wayne@crb-web.com, FreeBSD Questions <freebsd-questions@FreeBSD.org> Subject: Re: help w/ NATD rules on aliased ip address Message-ID: <19990730144120.A85626@relay.ucb.crimea.ua> In-Reply-To: <199907290815.JAA00666@keep.lan.Awfulhak.org>; from Brian Somers on Thu, Jul 29, 1999 at 09:15:50AM %2B0100 References: <Pine.LNX.3.95.990728225815.10767A-100000@crb.crb-web.com> <199907290815.JAA00666@keep.lan.Awfulhak.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 29, 1999 at 09:15:50AM +0100, Brian Somers wrote: > > I wish to use NATD on a computer with single interface card in it. I have > > looked in the handbook and "The Complete FreeBSD" but neither have information > > pertaining to this particular information. I am currently running linux as a > > natbox in this configuration but wish to switch it to freebsd. > > > > If anyone could help me with the natd switches and the ipfw rules I would > > greatly appreciated it. > > > > Here is my configuration: > > > > public interface 207.196.47.5 netmask 255.255.255.240 > > interface on private network 10.0.0.50 > > netmask of private network 255.255.255.0 > > > > I have tried natd -u -a 207.196.47.5 but this did not seem to work. I saw > > natd viewing the packets on debug but it did not translate them and they went > > nowhere. > > I *think* this is possible, but with some odd ipfw lines - something > like: > > ipfw add pass all from 10.0.0.0/8 to 207.196.47.5 in > ipfw add divert natd all from 10.0.0.0/8 to any out > This rule has a side effect that will cause the packet from 10.0.0.50 to 10.0.0.1 to be aliased to appear from 207.196.47.5, that is undesired, IMO. > ipfw add divert natd all from any to 207.196.47.5 in > > The idea is to ensure that natd isn't given each packet twice. > If this works, I'd suggest it's added to the man page. > My idea is to emulate two logical interfaces (private and external) on one physical, and to run natd(8) on external interface only [read: alias only those packets that are xmitted via an external interface]. Here are the rules that implement this: # Emulate private interface; skip aliasing if packet came from # or is sent to the local address: 00100 allow ip from 10.0.0.0/8 to any via ed0 in 00200 allow ip from any to 10.0.0.0/8 via ed0 out # Everything else is assumed to be sent/received via an external # interface, so alias and de-alias as usual: 00300 divert natd from any to any via ed0 # And finally, let the traffic to pass through: 00400 allow ip from any to any [via ed0] Cheers, -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank, ru@FreeBSD.org FreeBSD committer, +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990730144120.A85626>