From owner-freebsd-questions Sat Nov 30 4:38:34 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 114FE37B401 for ; Sat, 30 Nov 2002 04:38:32 -0800 (PST) Received: from mail.phillipoux.net (bob.net1.nerim.net [62.212.96.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26B7E43E4A for ; Sat, 30 Nov 2002 04:38:29 -0800 (PST) (envelope-from jonathan@phillipoux.net) Received: from bluesheeps ([192.168.1.6]) by mail.phillipoux.net (8.11.3/8.11.3) with SMTP id gAUCdnv09592 for ; Sat, 30 Nov 2002 13:39:49 +0100 (CET) (envelope-from jonathan@phillipoux.net) Message-ID: <002f01c2986d$595253a0$0601a8c0@bluesheeps> From: "Jonathan Clarke" To: References: <5.1.0.14.2.20021130121540.013dbae8@192.96.48.11> Subject: Re: NAT and Firewall Configuration ? Date: Sat, 30 Nov 2002 13:38:13 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > I am in the process of configuring NAT and a firewall on FreeBSD 4.7 > Stable. I have configured the external interface with 2 class C addresses > 192.x.x.1 and 192.x.x.2. and the internal interface with 192.168.x.1 ( > gateway ) > I have also configured natd_flags="-redirect_address 192.168.x.3 192.x.x.2" > which if I'm correct will redirect all traffic destined for 192.x.x.2 to > 192.168.x.3 ? That's right in the idea. To be finicky, I'd say that natd doesn't *redirect* traffic, it just *rewrites* packet headers, so they can be redirected. > My question is have I done everything correct so far and what rule would I > use for my firewall so that natd will work the way I want it ? You need to add the following rule as the first rule in your firewall (or pretty much so): add 00100 divert natd ip from any to any via rl0 (considering rl0 is the interface connected to the exterior) This passes all packets coming in or going out through rl0 to natd, who will decide whether they need aliasing or not, and do so. It then passes them back into the firewall list, and the following rule number. See man ipfw. > > > My rc.conf is as follows: > > ifconfig_rl0="inet 192.x.x.1 netmask 255.255.255.0" > ifconfig_rl0_alias0="inet 192.x.x.2 netmask 255.255.255.255" > ifconfig_rl1="inet 192.168.x.1 netmask 255.255.255.0" > > natd_enable="YES" > natd_interface="rl0" > natd_flags="-redirect_address 192.168.x.3 192.x.x.x2" > The line 'natd_interface="rl0"' tells natd to do it's aliasing to and from the IP address used by rl0. This may or may not be what you want, since you have two IPs on this interface. I expect that natd gets the primary IP for the interface rather than the alias. In this case your setup would send all traffic for 192.x.x.2 to 192.168.x.3 and "share" the connection to all other hosts on the 192.168.x.x network via 192.x.x.1. > ## Required for ipfw support > firewall_enable="YES" > #firewall_script="/etc/rc.firewall" > #firewall_type="OPEN" > firewall_type="/etc/ipfw.rules" > firewall_quiet="YES" > firewall_logging_enable="YES" Er, I know this isn't your question, but shouldn't 'firewall_type="/etc/ipfw.rules"' be 'firewall_script="/etc/ipfw.rules"'? > Look good to me. Hope this helps, Jonathan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message