From owner-freebsd-questions Sun Dec 10 18:14:13 2000 From owner-freebsd-questions@FreeBSD.ORG Sun Dec 10 18:14:08 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mail.monochrome.org (monochrome.org [206.64.112.124]) by hub.freebsd.org (Postfix) with ESMTP id 156A237B400 for ; Sun, 10 Dec 2000 18:14:08 -0800 (PST) Received: from localhost (faro [192.168.1.7]) by mail.monochrome.org (8.9.3/8.9.3) with SMTP id VAA32429; Sun, 10 Dec 2000 21:12:59 -0500 (EST) (envelope-from chris@monochrome.org) Date: Sun, 10 Dec 2000 21:12:59 -0500 (EST) From: Chris Hill X-Sender: chris@localhost To: Jonathan Chen Cc: Sean Peck , "Crist J. Clark" , freebsd-questions@FreeBSD.ORG Subject: Re: Configuring Gateway/NAT on Freebsd In-Reply-To: <20001211145157.A15455@jonc.itouch> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 11 Dec 2000, Jonathan Chen wrote: > On Sun, Dec 10, 2000 at 05:24:50PM -0800, Sean Peck wrote: > [...] > > I have the NIC listening to both IP's at least in theory, 172.16.0.1 and > > my public space IP... I assume that it must be listening there as well... > > perhaps incorrectly. > > For a firewall, you need to have 2 NICs. One for your i/f to the 'Net, > and one for your i/f to your internal network. If Sean's connection to the outside world is via ppp, his outside interface would be tun0 or ppp0, depending. The second interface would be some random ethernet card connected to the other machines on the LAN. > Think of a stream of information that must pass in thru' your f/w > rules before it can go out thru' the second i/f to your internal > network. Yes. Although in the simplest case of NAT, the only firewall rule is the one that tells NAT to do its thing. > If your i/f to the 'Net is a dial-up ppp link, you set up ppp to > handle nat with a -nat option, instead of using 'natd'. Well... you don't *have* to; you *can* use natd while using ppp. Just set your "outside" interface (in /etc/rc.conf) to be tun0 or ppp0. I was doing this for years and it worked fine. Having said that, consensus on the list seems to be that it's better to use userland ppp's NATting feature, rather than natd. I'm not sure why. -- Chris Hill chris@monochrome.org [1] Bus error netscape To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message