From owner-freebsd-bugs Wed Aug 30 8:20:11 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0348F37B422 for ; Wed, 30 Aug 2000 08:20:04 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id IAA86439; Wed, 30 Aug 2000 08:20:03 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from picalon.gun.de (picalon.gun.de [192.109.159.1]) by hub.freebsd.org (Postfix) with ESMTP id 1210F37B422 for ; Wed, 30 Aug 2000 08:15:39 -0700 (PDT) Received: (from uucp@localhost) by picalon.gun.de (8.9.3/8.9.3) id RAA03015 for FreeBSD-gnats-submit@FreeBSD.org; Wed, 30 Aug 2000 17:15:22 +0200 (MET DST) Message-Id: <200008301502.e7UF2sp06263@klemm.gtn.com> Date: Wed, 30 Aug 2000 17:02:54 +0200 (CEST) From: andreas@FreeBSD.org Reply-To: andreas@FreeBSD.org To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.2 Subject: bin/20944: natd additions with tested DIFFS (natd.c,natd.h,natd.8,/etc/natd.conf) Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 20944 >Category: bin >Synopsis: natd enhancements, default config file and manpage additions >Confidential: no >Severity: non-critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Wed Aug 30 08:20:03 PDT 2000 >Closed-Date: >Last-Modified: >Originator: Andreas Klemm >Release: FreeBSD-4.1 >Organization: FreeBSD >Environment: 4.1-STABLE >Description: - our natd source directory contains a samples/natd.cf.sample example config file. It would be better to offer this config file in /etc - you can force natd to read a special config file, but it doesn't look for a default config file - manpage doesn't have a FILES section - if verbose=1, natd doesn't report, which config file is being parsed >How-To-Repeat: cd /usr/src/ >Fix: - teach natd to use a default config file /etc/natd.conf if present - do not read default config file if natd has been invoked with the command line options -config | -f file introduced new variable haveConfigFile to trigger that - teach natd to report which config file will be used, if verbose is set - update documentation - new file: src/etc/natd.conf - update src/etc/Makefile, add natd.conf to BIN1 - document changes in natd.8 - Add missing FILES section in manpage Here is the fix matching against FreeBSD-4.1-STABLE of Tue Aug 29 23:43:25 CEST 2000 Sorry, no -current system around. Index: etc/Makefile =================================================================== RCS file: /home/ncvs/src/etc/Makefile,v retrieving revision 1.219.2.7 diff -u -r1.219.2.7 Makefile --- etc/Makefile 2000/08/28 20:25:50 1.219.2.7 +++ etc/Makefile 2000/08/30 14:18:31 @@ -8,7 +8,7 @@ dhclient.conf dm.conf fbtab ftpusers gettytab group \ hosts hosts.allow host.conf hosts.equiv hosts.lpd \ inetd.conf login.access login.conf \ - motd modems networks newsyslog.conf \ + motd modems natd.conf networks newsyslog.conf \ pam.conf phones pim6dd.conf pim6sd.conf \ printcap profile protocols \ rc rc.atm rc.devfs rc.diskless1 rc.diskless2 rc.firewall rc.isdn \ Index: etc/natd.conf =================================================================== RCS file: natd.conf diff -N natd.conf --- /dev/null Wed Aug 30 16:51:28 2000 +++ natd.conf Wed Aug 30 16:16:21 2000 @@ -0,0 +1,93 @@ +# +# Configuration file for natd. +# +# $FreeBSD$ +# +# !!! This is an example! You will need to modify it for your specific +# !!! requirements! +# +# Enable logging to file /var/log/alias.log +# +#log no +# +# Incoming connections. Should NEVER be set to "yes" if redirect_port +# or redirect_address statements are activated in this file! +# +# Setting to yes provides additional anti-crack protection +# +#deny_incoming no +# +# Use sockets to avoid port clashes. Uses additional system resources, but +# guarantees successful connections when port numbers conflict +# +#use_sockets no +# +# Avoid port changes if possible when altering outbound packets. Makes rlogin +# work in most cases. +# +#same_ports yes +# +# Verbose mode. Enables dumping of packets and disables +# forking to background. Only set to yes for debugging. +# +#verbose no +# +# Divert port. Can be a name in /etc/services or numeric value. +# +#port 32000 +# +# Interface name or address being aliased. Either one, +# not both is required. +# +# Obtain interface name from the command output of "ifconfig -a" +# +# alias_address 192.168.0.1 +#interface ep0 +# +# Alias unregistered addresses or all addresses. Set this to yes if +# the inside network is all RFC1918 addresses. +# +#unregistered_only no +# +# Configure permanent links. If you use host names instead +# of addresses here, be sure that name server works BEFORE +# natd is up - this is usually not the case. So either use +# numeric addresses or hosts that are in /etc/hosts. +# +# Note: Current versions of FreeBSD all call /etc/rc.firewall +# BEFORE running named, so if the DNS server and NAT are on the same +# machine, the nameserver won't be up if natd is called from /etc/rc.firewall +# +# Map connections coming to port 30000 to telnet in my_private_host. +# Remember to allow the connection /etc/rc.firewall also. +# +#redirect_port tcp my_private_host:telnet 30000 +# +# Map connections coming from host.xyz.com to port 30001 to +# telnet in another_host. +#redirect_port tcp another_host:telnet 30001 host.xyz.com +# +# Static NAT address mapping: +# +# ipconfig must apply any legal IP numbers that inside hosts +# will be known by to the outside interface. These are sometimes known as +# virtual IP numbers. It's suggested to use the "interface" directive +# instead of the "alias_address" directive to make it more clear what is +# going on. (although both will work) +# +# DNS in this situation can get hairy. For example, an inside host +# named aweb.company.com is located at 192.168.1.56, and needs to be +# accessible through a legal IP number like 198.105.232.1. If both +# 192.168.1.56 and 198.105.232.1 are set up as address records in the DNS +# for aweb.company.com, then external hosts attempting to access +# aweb.company.com may use address 192.168.1.56 which is inaccessible to them. +# +# The obvious solution is to use only a single address for the name, the +# outside address. However, this creates needless traffic through the +# NAT, because inside hosts will go through the NAT to get to the legal +# number, even when the inside number is on the same subnet as they are! +# +# It's probably not a good idea to use DNS names in redirect_address statements +# +#The following mapping points outside address 198.105.232.1 to 192.168.1.56 +#redirect_address 192.168.1.56 198.105.232.1 Index: sbin/natd/natd.8 =================================================================== RCS file: /home/ncvs/src/sbin/natd/natd.8,v retrieving revision 1.27.2.5 diff -u -r1.27.2.5 natd.8 --- sbin/natd/natd.8 2000/07/17 10:11:03 1.27.2.5 +++ sbin/natd/natd.8 2000/08/30 13:38:13 @@ -540,6 +540,18 @@ Running the script in the background should be enough to prevent this disaster. .El +.Sh FILES +.Bl -tag -width /var/run/natd.pid -compact +.It Pa /etc/natd.conf +default configuration file +.It Pa /etc/rc.conf +for enabling natd and kernel firewall +.It Pa /etc/rc.firewall +firewall rules +.It Pa /var/run/natd.pid +pid of currently running +.Nm +.El .Sh SEE ALSO .Xr divert 4 , .Xr protocols 5 , Index: sbin/natd/natd.c =================================================================== RCS file: /home/ncvs/src/sbin/natd/natd.c,v retrieving revision 1.25.2.3 diff -u -r1.25.2.3 natd.c --- sbin/natd/natd.c 2000/07/11 20:00:57 1.25.2.3 +++ sbin/natd/natd.c 2000/08/30 14:32:13 @@ -126,6 +126,7 @@ static int dropIgnoredIncoming; static int logDropped; static int logFacility; +static int haveConfigFile; int main (int argc, char** argv) { @@ -160,6 +161,7 @@ dynamicMode = 0; logDropped = 0; logFacility = LOG_DAEMON; + haveConfigFile = 0; /* * Mark packet buffer empty. */ @@ -168,6 +170,13 @@ ParseArgs (argc, argv); /* + * Read default config file, if present and no other config file is in use + */ + if (haveConfigFile == 0) { + ReadConfigFile (DEFAULT_CONFIG); + } + +/* * Open syslog channel. */ openlog ("natd", LOG_CONS | LOG_PID | (verbose ? LOG_PERROR : 0), @@ -1243,6 +1252,7 @@ case ConfigFile: ReadConfigFile (strValue); + haveConfigFile=1; break; case LogDenied: @@ -1286,6 +1296,9 @@ file = fopen (fileName, "r"); if (!file) err(1, "cannot open config file %s", fileName); + + if (verbose) + printf ("using config file %s\n", fileName); while ((buf = fgetln(file, &len)) != NULL) { if (buf[len - 1] == '\n') Index: sbin/natd/natd.h =================================================================== RCS file: /home/ncvs/src/sbin/natd/natd.h,v retrieving revision 1.4 diff -u -r1.4 natd.h --- sbin/natd/natd.h 1999/08/28 00:13:46 1.4 +++ sbin/natd/natd.h 2000/08/30 14:08:01 @@ -12,7 +12,8 @@ * $FreeBSD: src/sbin/natd/natd.h,v 1.4 1999/08/28 00:13:46 peter Exp $ */ -#define PIDFILE "/var/run/natd.pid" +#define PIDFILE "/var/run/natd.pid" +#define DEFAULT_CONFIG "/etc/natd.conf" #define INPUT 1 #define OUTPUT 2 #define DONT_KNOW 3 >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message