From owner-freebsd-questions Fri Jul 30 9:51: 5 1999 Delivered-To: freebsd-questions@freebsd.org Received: from storm.FreeBSD.org.uk (storm.freebsd.org.uk [194.242.128.198]) by hub.freebsd.org (Postfix) with ESMTP id BB35D151C3; Fri, 30 Jul 1999 09:50:57 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from keep.lan.Awfulhak.org (localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.9.3/8.9.3) with ESMTP id RAA32895; Fri, 30 Jul 1999 17:50:44 +0100 (BST) (envelope-from brian@Awfulhak.org) Received: from keep.lan.Awfulhak.org (brian@localhost.lan.Awfulhak.org [127.0.0.1]) by keep.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id RAA03994; Fri, 30 Jul 1999 17:51:32 +0100 (BST) (envelope-from brian@keep.lan.Awfulhak.org) Message-Id: <199907301651.RAA03994@keep.lan.Awfulhak.org> X-Mailer: exmh version 2.0.2 2/24/98 To: Ruslan Ermilov Cc: Brian Somers , wayne@crb-web.com, FreeBSD Questions Subject: Re: help w/ NATD rules on aliased ip address In-reply-to: Your message of "Fri, 30 Jul 1999 14:41:20 +0300." <19990730144120.A85626@relay.ucb.crimea.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 30 Jul 1999 17:51:32 +0100 From: Brian Somers Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > On Thu, Jul 29, 1999 at 09:15:50AM +0100, Brian Somers wrote: > > > I wish to use NATD on a computer with single interface card in it. I have > > > looked in the handbook and "The Complete FreeBSD" but neither have information > > > pertaining to this particular information. I am currently running linux as a > > > natbox in this configuration but wish to switch it to freebsd. > > > > > > If anyone could help me with the natd switches and the ipfw rules I would > > > greatly appreciated it. > > > > > > Here is my configuration: > > > > > > public interface 207.196.47.5 netmask 255.255.255.240 > > > interface on private network 10.0.0.50 > > > netmask of private network 255.255.255.0 > > > > > > I have tried natd -u -a 207.196.47.5 but this did not seem to work. I saw > > > natd viewing the packets on debug but it did not translate them and they went > > > nowhere. > > > > I *think* this is possible, but with some odd ipfw lines - something > > like: > > > > ipfw add pass all from 10.0.0.0/8 to 207.196.47.5 in > > ipfw add divert natd all from 10.0.0.0/8 to any out > > > This rule has a side effect that will cause the packet from > 10.0.0.50 to 10.0.0.1 to be aliased to appear from 207.196.47.5, > that is undesired, IMO. > > ipfw add divert natd all from any to 207.196.47.5 in > > > > The idea is to ensure that natd isn't given each packet twice. > > If this works, I'd suggest it's added to the man page. > > > > My idea is to emulate two logical interfaces (private and external) > on one physical, and to run natd(8) on external interface only > [read: alias only those packets that are xmitted via an external > interface]. Here are the rules that implement this: > > # Emulate private interface; skip aliasing if packet came from > # or is sent to the local address: > 00100 allow ip from 10.0.0.0/8 to any via ed0 in > 00200 allow ip from any to 10.0.0.0/8 via ed0 out > > # Everything else is assumed to be sent/received via an external > # interface, so alias and de-alias as usual: > 00300 divert natd from any to any via ed0 > > # And finally, let the traffic to pass through: > 00400 allow ip from any to any [via ed0] Yes, you're right. This makes more sense. > Cheers, > -- > Ruslan Ermilov Sysadmin and DBA of the > ru@ucb.crimea.ua United Commercial Bank, > ru@FreeBSD.org FreeBSD committer, > +380.652.247.647 Simferopol, Ukraine > > http://www.FreeBSD.org The Power To Serve > http://www.oracle.com Enabling The Information Age -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message