Date: Sat, 27 Mar 2004 09:40:18 -0800 (PST) From: Marc Fonvieille <blackend@FreeBSD.org> To: freebsd-doc@FreeBSD.org Subject: Re: docs/64807: Handbook section on NAT incomplete Message-ID: <200403271740.i2RHeIb6035150@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR docs/64807; it has been noted by GNATS. From: Marc Fonvieille <blackend@FreeBSD.org> To: Vlad Manilici <vman.SYMBOL.tmok.SYMBOL.com@FreeBSD.org> Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: docs/64807: Handbook section on NAT incomplete Date: Sat, 27 Mar 2004 18:38:46 +0100 On Sat, Mar 27, 2004 at 08:33:43AM -0800, Vlad Manilici wrote: > > >Description: > The Handbook section on NAT: > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html > does not contain sufficient information to configure NAT on FreeBSD. > > More specific: > 1. the suggested firewall configuration ("OPEN") does not contain any > redirection rule. Probably, the intention was "OpenClient". > 2. it should be mentioned that NAT does not work with statefull rules. > 3. NAT configuration with an "open" firewall is not enough in today's > Internet. A set of rules that mixes NAT with filtering should be > explained. Combining the two raises some problems not seen in any > independently, and should definitely be explained. > > Here is a working set of rules for NAT and some meaningful packet > filtering (of course, one could do better). The external interface > is "xl0", and the internal one "rl0". The internal network is > 10.0.0/24. > [...] You are talking about packet filtering not only NAT, the aim of the mentioned section is to only cover NAT (natd(8)) not the configuration of a firewall (it's why the OPEN type was used). All examples are done with that point of view. If someone wants to add packet filtering the read of http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html and /etc/rc.firewall will be enough since rc.firewall contains good example. (Changing the OPEN type to SIMPLE or CLIENT does the trick) Marc
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200403271740.i2RHeIb6035150>