Date: Tue, 24 Jun 1997 05:38:21 -0500 (CDT) From: Wayne Baety <mrfoine@enteract.com> To: Brian Somers <brian@awfulhak.org> Cc: Wilko Bulte <wilko@yedi.iaf.nl>, FreeBSD hackers list <FreeBSD-hackers@FreeBSD.ORG> Subject: Re: natd & dynamic adresses via isdn/ppp Message-ID: <Pine.BSI.3.95.970624050848.8502A-100000@enteract.com> In-Reply-To: <199706222212.XAA09754@awfulhak.demon.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 22 Jun 1997, Brian Somers wrote: > > Hi > > > > Is it possible to use natd in an environment that has changing IP > > addresses to the outside world? Our dialup link is a ISDN/ppp link > > with dynamically configured IP adresses (ISDN/ppp works like a charm > > now BTW) I think he's using bisdn and with bisdn you would be using isdnpppd (a modified ppp daemon). But to use dynamic ip addressing and ip masquerading (natd) 1) enable ipfw functionality (put in kernel config file: options IPFIREWALL, options IPDIVERT and in the routed man pages options IPFORWARDING=1 was mentioned not sure if that is necesssary though) 2) make sure u have natd in your /etc/services I picked 6136 as a tcp divert socket for natd 3) add this to your rules with ipfw: ipfw add 1200 divert 6136 ip from any to any via ppp0. notes: ippp0 is the interface you have bisdn attached to in your bisdnd.cfg but ppp0 is the interface you use for most system utilities via isdn. the 6136 can be any unassigned port in your /etc/services. Pick any value you wish but make sure it doesnt conflict with anything. This same number you put in your firewall rule list. the 1200 after the add rule statement above can be any number; my choice was arbitrary. But I am confused as to whether the divert to natd should come before or after packet filtering rules. At one point I had both the kernel Firewall and the ipfilter add on working simultaneously.... I had used the kernel firewall for the divert sockets. start natd with: natd -s -dynamic -interface ppp0 and all should be fine. Might even want to put that in your rc.local along with ifconfig'ing ppp0 to 10.0.0.1 and up or some other address...doesnt matter, to get a feel of full internet connectivity. With a trick with your named you can make it even seem like an instant connection... (With this setup you get a small delay whenever it makes a reconnection long enough for some tcp timeouts wich creates a longer delay in those programs that dont resend quickly). Another thing you might want to consider doing is blocking netbios (udp 137-139) over your ppp0 connection, especially if you have some win95 machines that have shares available w/o passwords since this would be available to the internet w/o anykind of validation. Email me back if any of this is confusing, Wayne
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.3.95.970624050848.8502A-100000>