Date: Mon, 6 Mar 2000 22:12:34 -0500 From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: Bhishan Hemrajani <bhishan@cytosine.dhs.org> Cc: mires <mires@bigfoot.com>, freebsd-questions@FreeBSD.ORG Subject: Re: aliasing natd and FW Message-ID: <20000306221233.B70609@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <200003060546.VAA00360@cytosine.dhs.org>; from bhishan@cytosine.dhs.org on Sun, Mar 05, 2000 at 09:46:46PM -0800 References: <000c01bf8736$ba87a9e0$9349dbc1@eu.org> <200003060546.VAA00360@cytosine.dhs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Mar 05, 2000 at 09:46:46PM -0800, Bhishan Hemrajani wrote:
> The natd_interface in rc.conf is suppost to be a device name.
> (de1, xl0, ed0, etc.)
>
> It should be the interface connected to the connection on the internet.
Actually, the rc.network file supports IP addresses given in
'natd_interface,'
if [ X"${natd_enable}" = X"YES" -a -n "${natd_interface}" ]; then
if echo ${natd_interface} | \
grep -q -E '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'; then
natd_ifarg="-a ${natd_interface}"
else
natd_ifarg="-n ${natd_interface}"
fi
echo -n ' natd'; ${natd_program} ${natd_flags} ${natd_ifarg}
fi
echo '.'
However...
> [Charset iso-8859-4 unsupported, filtering to ASCII...]
> > Hi there.
> >
> > I'm using 3.4-RELEASE FreeBSD one network cart:
> > with FW & natd there are some lines form my config files
> >
> > rc.config:
> > ifconfig_ed2="inet 193.219.73.147 netmask 255.255.255.0"
> > defaultrouter="193.219.73.44"
> > gateway_enable="YES"
> > #natd
> > natd_program="/sbin/natd"
> > natd_enable="YES"
> > natd_interface="193.219.73.147"
> > natd_flags=""
> > #Fire wall
> > firewall_enable="YES"
> > firewall_type="OPEN"
> >
> > rc.local
> > ifconfig ed2 alias 192.168.0.11 netmask 255.255.255.0
Including,
ifconfig_ed2_alias0="192.168.0.11 netmask 255.255.255.0"
In rc.conf is the prefered way to do this.
> > rc.firewall
> > $fwcmd add divert natd all from any to any via ${natd_interface}
> > $fwcmd add 10200 deny all from 192.168.0.0:255.255.0.0 to any via 193.219.73.147
> > $fwcmd add 10300 deny all from any to 192.168.0.0:255.255.0.0 via 193.219.73.147
You need to realize that all packets traveling over ed2 match these
second two rules. From ipfw(8),
via ipno Packet must be going through the interface having
IP address ipno.
> > From my natd computer ant from the local network everything works just fine except:
> >
> > 1. from my local LAN (windoze PC's) i can't use tracert. ping go ok. but tracert:
> >
> > Tracing route to hp710-3.lei.lt [193.219.73.43]
> > over a maximum of 30 hops:
> >
> > 1 2 ms 1 ms 1 ms 193.219.73.147
> > 2 3 ms 3 ms 3 ms 193.219.73.147
> > 3 12 ms 12 ms 12 ms 193.219.73.147
> > 4 23 ms 29 ms 30 ms 193.219.73.147
> > ...
> > 12 104 ms 70 ms 110 ms hp710-3.lei.lt [193.219.73.43]
> > why it don't detect real servers IP/DNS ?
> > (from my proxy computter everything goes just fine)
Your DNS setup on a Winbox is a whole other issue.
> > 2. the second problem: i realy cann't build a FW. i mean rule 10200 just block all
> > trafic from local LAN. (it means i can't block eavil private LAN's IP's from
> > outside ?). what can i do ?
What you need to do is get two interfaces. It's pretty well known
natd(8) does not work well with a single interface; it was not
designed for it.
--
Crist J. Clark cjclark@home.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000306221233.B70609>