Date: Fri, 24 Sep 1999 05:59:09 +0200 (CEST) From: Martin Welk <mw@freibergnet.de> To: Joe Gleason <freebsd.list@bug.tasam.com> Cc: stable@FreeBSD.ORG, Ed Shoro <ed@pdqnet.com> Subject: Re: Natd Message-ID: <XFMail.990924055909.mw@freibergnet.de> In-Reply-To: <015e01bf0626$26ca9dc0$256b52c6@tasam.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 24-Sep-99 Joe Gleason wrote: () That will be a tricky one, because PC anywhere uses some UDP packets to () establish the connection as well as the TCP connection. As far as the () natd setup, all I can say is man natd. You can configure natd in two ways: to redirect defined UDP and TCP ports for defined addresses to the same or different UDP or TCP ports on one or many machines. This is sometimes tricky. A good starting point is always to read the documentation, especially ipfirewall(4), ipfw(8), natd(8) and sometimes dummynet(4) to read more about how the firewall code works and for better and deeper under- standing. For NAT, you don't need dummynet, but the documentation is also interesting. Build a kernel including IPDIVERT, IPFIREWALL and what else you want (look at the documentation again, and look at the LINT file). Use the log function of the ipfirewall to see which UDP and TCP ports PC Anywhere needs, if you can't find anything in the PC Anywhere documentation. Check carefully, if it works with a connection to a static port or from a static port or what ever, and then start build a natd configuration and an ipfw configuration. Some examples, fragments from a working setup I changed a little: First, we define an alias address on the "world" interface, which is not necessary, but leaves us open to use any ports on the "real" (gateway) machine: ifconfig x0 inet a.b.c.d netmask m.n.o.p ifconfig x0 alias a.b.c.d+1 netmask m.n.o.p ifconfig x1 alias e.f.g.h netmask q.r.s.t ...and let's assume that your internal host ist e.f.g.h+1 (Usually, you do this in /etc/rc.conf.) Some natd configuration: port 8668 deny_incoming no alias_address a+b+c+d (*) redirect_address e.f.g.h+1 a.b.c.d+1 (**) (*) This will be the alias address natd uses for connections coming from the LAN interface (x1) to foreign hosts. It depends on your setup, which one makes more sense - I'm using a second x0 alias for this purpose (**) You can also use the redirect_port command to redirect special services. I hardly recommend this especially if there's a Windows box behind the NAT host. Take care, natd uses a syntax like "local_addr public_addr", not vice versa, which would have expected. Read the man page :-) Some ipfw configuration: ipfw add n allow all from any to a.b.c.d ipfw add n++ divert 8668 all from any to a.b.c.d+1 ipfw add n++ divert 8668 all from e.f.h.h+1 to any ipfw add n++ allow all from any to any With this fragments you should be able to build a setup with which you can reach your Windows box with the alias IP from the outside. I think this is a good starting point for understanding what the firewall does. From now, you have to trigger it so that it does exactly as you need, I mean, redirect special ports and so on. Use the logging functions of natd, ipfirewall and perhaps a tcpdump to find out what happens on your network. This will give you enough diagnostics information to see what firewall rule still is missing or what the software you're using needs in addition. Have fun :-) Regards, Martin -- FreibergNet Systemhaus GbR Martin Welk * Sales, Support Systemhaus für Daten- und Netzwerktechnik phone +49 3731 781387 Unternehmensgruppe Liebscher & Partner fax +49 3731 781377 D-09599 Freiberg * Am St. Niclas Schacht 13 http://www.freibergnet.de/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.990924055909.mw>