Date: Mon, 30 Oct 2000 12:22:53 -0800 From: "Ras-Sol" <ras-sol@usa.net> To: <cjclark@alum.mit.edu>, "Daniel Ruthardt" <ruthardt@chello.at> Cc: <freebsd-questions@freebsd.org> Subject: Re: IP Masquerading - Using NAT Message-ID: <141201c042af$2eb07480$6d0a280a@speedera.com> References: <20001029143205.X75251@149.211.6.64.reflexcom.com> <KDEOJJLADGAOLHAHFGMKCEDBCBAA.ruthardt@chello.at> <20001030111946.A3675@149.211.6.64.reflexcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
While I absolutely agree that you should *not* be using only one interface here- It somewhat bothers me that natd gets confused if there's only one IF- Natd deals on the IP level right? So adding another alias to the single physical should fix natd's problems? -- -sex:blood:heaven- AIM: IMFDUP ----- Original Message ----- From: Crist J . Clark <cjclark@reflexnet.net> To: Daniel Ruthardt <ruthardt@chello.at> Cc: <freebsd-questions@freebsd.org> Sent: Monday, October 30, 2000 11:19 AM Subject: Re: IP Masquerading - Using NAT > On Mon, Oct 30, 2000 at 10:25:11AM +0100, Daniel Ruthardt wrote: > > [snip] > > > Here are the informations you need to help me: > > > > $ cat /etc/rc.conf > > > > # This file now contains just the overrides from /etc/defaults/rc.conf > > # please make all changes to this file. > > > > keymap="german.iso" > > gateway_enable="YES" > > hostname="dowee.com" > > firewall_enable="YES" > > firewall_type="OPEN" > > natd_interface="xl0" > > natd_enable="YES" > > ifconfig_xl0="DHCP" > > ifconfig_xl0_alias0="inet 192.0.0.1 netmask 255.255.255.0" > > > > $ fgrep 'IP packet filtering' /var/run/dmesg.boot > > > > IP packet filtering initialized, divert enabled, rule-based forwarding > > disabled, > > default to deny, logging disabled > > > > $ ifconfig -a > > > > xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > inet6 fe80::250:4ff:fe4d:3695%xl0 prefixlen 64 scopeid 0x1 > > inet 212.186.196.204 netmask 0xffffff00 broadcast 212.186.196.255 > > inet 192.0.0.1 netmask 0xffffff00 broadcast 192.0.0.255 > > ether 00:50:04:4d:36:95 > > media: 10baseT/UTP (10baseT/UTP <half-duplex>) > > supported media: 10baseT/UTP <full-duplex> 10baseT/UTP <half-duplex> > > 10b > > aseT/UTP > > [snip] > > > $ ipfw show > > > > 00100 3064 945994 divert 8668 ip from any to any via xl0 > > 00100 0 0 allow ip from any to any via lo0 > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 65000 3064 945994 allow ip from any to any > > 65535 2 656 deny ip from any to any > > > > Hope the information tells you what i've done wrong (-: > > Looks pretty good except for one big problem, you are trying to use a > single interface. natd(8) is designed to be used with multiple > interfaces. It does not work well with one. Each packet will go > through natd(8) twice and this tends to really confuse it. > > There are other problems with this scheme. First, if you were planning > to later add firewall rules for security, they will offer little > protection since your machines are still naked on the net. Second, you > are likely going to be leaking your "private" address traffic onto > your LAN (and from there who knows where it may get routed). You will > be one of those guys who causes all those people to mail the list > asking why they are getting arp error messages about machines responding > on the wrong interface. > -- > Crist J. Clark cjclark@alum.mit.edu > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?141201c042af$2eb07480$6d0a280a>