Date: Mon, 10 Nov 2014 14:12:32 -0700 From: "Gary Aitken" <vagabond@blackfoot.net> To: "Freebsd Questions" <questions@freebsd.org> Cc: kudzu@tenebras.com, smithi@nimnet.asn.au Subject: Re: natd not translating? Message-ID: <f903055e432dff8e69c3851105f2c66b.squirrel@webmail.blackfoot.net>
next in thread | raw e-mail | index | archive | help
Ian and Michael, thanks both of you for the clarification on using separate incoming and outgoing rules. The world is now good... > > I have a non-gateway ip addr reserved for use by natd, and currently have > > divert 8668 ip from any to any via ep0 > > Since I have a non-gateway addr reserved for the natd xlations, it seems like > > divert 8668 ip4 from not me to not me via ep0 > > should have identical behavior; but it doesn't. > > It seems like nothing came through to clients. > > Well, traffic coming back in from remote hosts IS 'to me' (ie, to any address configured on any interface on this box) before it's been translated by NAT to an inside host address Not necessarily. If I have specified redirect_address 192.168.1.12 <non-gateway-ip-addr> alias_address <other-non-gateway-ip-addr> then everything not destined for the gateway machine will not be "to me" By non-gateway-ip-addr I mean one of my assigned ip addrs, but not the one assigned by me to the outward-facing interface of the gateway box. (you knew that, I just wasn't clear earlier.) e.g. if my assigned ip addrs are a.b.c.16/29: gateway interface to the world: a.b.c.17 natd.conf specifies: redirect_address 192.168.1.12 a.b.c.21 alias_address a.b.c.22 I have reworked the ipfw rules starting with rc.firewall "simple" as a template and adding what little I needed. Thanks again for the hint. With those new rules, the above 05000 divert 8668 ip4 from not me to not me via ep0 seems to work as well as 05001 divert 8668 ip4 from 192.168.1.0/24 to any out recv xl0 xmit ep0 05002 divert 8668 ip4 from any to not me in recv ep0 Am I right that, given the natd.conf constraints on redirect addrs indicated above, the 5000 rule should work as well as 5001 + 5002, and natd won't be doing any extra work? > Strangely, there's no man page for ep nor if_ep on 8.x or 9.x? ugh. That will be interesting when my upgrade starts in a few days. Dang. man ep ep -- Ethernet driver for 3Com Etherlink III (3c5x9) interfaces
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?f903055e432dff8e69c3851105f2c66b.squirrel>