From owner-freebsd-questions  Sat Nov 21 18:35:25 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id SAA19090
          for freebsd-questions-outgoing; Sat, 21 Nov 1998 18:35:25 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from picketfence.suburbs.net (picketfence.suburbs.net [204.107.76.16])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id SAA19084
          for <freebsd-questions@FreeBSD.ORG>; Sat, 21 Nov 1998 18:35:21 -0800 (PST)
          (envelope-from vinnie@picketfence.suburbs.net)
Received: (qmail 29472 invoked by uid 1000); 22 Nov 1998 02:36:44 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 22 Nov 1998 02:36:44 -0000
Date: Sat, 21 Nov 1998 21:36:44 -0500 (EST)
From: Vinnie Yesue <vinnie@picketfence.suburbs.net>
To: freebsd-questions@FreeBSD.ORG
Subject: natd and ipfw
In-Reply-To: <Pine.BSF.3.96.981121211910.276B-100000@PigStuy.dyn.ml.org>
Message-ID: <Pine.BSF.4.01.9811212130500.29460-100000@picketfence.suburbs.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


I'm using natd to run 4 machines with only 1 ip.  I have 1 router-like box
with 2 ether cards and 1 ip assigned to it.  One of the ethers is plugged
into the school ethernet, the other into my hub, with 3 other devices
plugged in.

I want to allow users on the inside to establish DNS, HTTP and SSH
connections to the outside world, but i dont want any packets other than
established connections of those sorts getting past my router.

Additionally, I need to be able to ssh into the router from 1 particular
ip, as well as ssh from the router thru into the local machines.

I think I could do this if I had each host with its own ip address, but
thats not the case.  natd seems to be throwing a bit of wierdness into the
mix.  

Where do I want to put my "divert" rule?  should I put all traffic going
through the router through divert?  just traffic thats coming from inside?
Once ip addresses of packets that are from the inside masqueraded network
and to the outside world have had their contents adjusted by natd, they
are "reinjected into the ip stream" according to the natd manpage.  Are
they reinjected before or after ipfw?

Thanks for any help.

	vinnie



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message