Date: Mon, 12 Jul 1999 18:08:11 -1000 From: "Art Neilson, KH7PZ" <art@hawaii.rr.com> To: "Michael P. Neuman" <neubyneu@twcny.rr.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: natd/ipfw question. Message-ID: <3.0.6.32.19990712180811.03074230@clients1.hawaii.rr.com> In-Reply-To: <000601becc41$5208c6c0$04c809c0@kramer.cmsnet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
did you enable natd in rc.conf? The following code in rc.firewall needs to
execute before the rest of the rules get setup:
############
# These rules are required for using natd. All packets are passed to
# natd before they encounter your remaining rules. The firewall rules
# will then be run again on each packet after translation by natd,
# minus any divert rules (see natd(8)).
if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
$fwcmd add divert natd all from any to any via ${natd_interface}
fi
in rc.conf you need:
natd_program="/sbin/natd" # path to natd, if you want a different one.
natd_enable="YES" # Enable natd (if firewall_enable == YES).
natd_interface="ep0" # Public interface or IPaddress to use.
natd_flags="-l -u -dynamic" # Additional flags for natd.
note that my outside interface is ep0, a 3COM 3C509B-TP ISA card.
You need to set yours to whatever your driver is.
I made my own "custom" firewall rules in rc.firewall, i.e.
firewall_type="custom" in rc.conf :^). I can share them with you if
you want, send me private email. My rules do pretty much what you describe.
You will have to tweak them for your particular needs.
At 04:34 AM 7/12/99 -0400, you wrote:
>Well, I guess you are right. But, I just thought of another question.
>Right now I have the basic OPEN firewall setting. As soon as I go and add
>"real" rules, NATD doesn't seem to be able to function. For example, I want
>to deny everything and allow only those outgoing and incomming connections
>which I "say" are alright. How come when I deny everything else it blocks
>NAT from functioning. I've asked this before but nobody could seem to
>answer it. Thanks again.
>-----Original Message-----
>From: Art Neilson, KH7PZ <art@hawaii.rr.com>
>To: Michael P. Neuman <neubyneu@twcny.rr.com>
>Cc: freebsd-questions@FreeBSD.ORG <freebsd-questions@FreeBSD.ORG>
>Date: Monday, July 12, 1999 6:25 PM
>Subject: Re: natd/ipfw question.
>
>
>>At 01:59 AM 7/12/99 -0400, you wrote:
>>> Hello. I'm currently running FreeBSD-3.2-RELEASE. I have natd and ipfw
>>working > great right now I'm also runninng DNS. Currently, it directs my
>>internal network > of unregistered IP's to the internet. What I want to
>>also do is the reverse. I > want to be able to telnet to my computer with
>>the unregistered address from the > internet. I.E.: I'm on the internet.
>>I want to connect to kramer.cmsnet.net (IP > 192.168.1.2) from the
>>internet. Is there a way to set up NATD/IPFW to do this??? > Thanks in
>>advance. I hope you can understand what I'm saying
>>> --
>>> Michael P. Neuman - Consultant, NeuTech Computer Consulting
>>
>>Wouldn't that defeat the purpose of the firewall? Besides, those
>unregistered
>>IP addresses won't be honored by any DNS servers on the outside so you'd
>>have to use the IP address. Not sure that would even work, I don't think
>any
>>router would route that address on the outside.
>>--
>> __
>> / ) _/_ It is a capital mistake to theorise before one has data.
>> /--/ __ / Insensibly one begins to twist facts to suit theories,
>>/ (_/ (_<__ Instead of theories to suit facts.
>> -- Sherlock Holmes, "A Scandal in Bohemia"
>>Arthur W. Neilson III, KH7PZ
>>Bank of Hawaii Tech Support
>>art@hawaii.rr.com
>>
>>
>
>
--
__
/ ) _/_ It is a capital mistake to theorise before one has data.
/--/ __ / Insensibly one begins to twist facts to suit theories,
/ (_/ (_<__ Instead of theories to suit facts.
-- Sherlock Holmes, "A Scandal in Bohemia"
Arthur W. Neilson III, KH7PZ
Bank of Hawaii Tech Support
art@hawaii.rr.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.6.32.19990712180811.03074230>