From owner-freebsd-questions Mon Oct 30 12: 7:39 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mail.speedera.com (unknown [64.242.144.230]) by hub.freebsd.org (Postfix) with ESMTP id E48E337B479 for ; Mon, 30 Oct 2000 12:07:36 -0800 (PST) Received: from salesnb1 (ph-109.speedera.com [10.40.10.109]) by mail.speedera.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id 473XNDYW; Mon, 30 Oct 2000 12:08:27 -0800 Message-ID: <141201c042af$2eb07480$6d0a280a@speedera.com> From: "Ras-Sol" To: , "Daniel Ruthardt" Cc: References: <20001029143205.X75251@149.211.6.64.reflexcom.com> <20001030111946.A3675@149.211.6.64.reflexcom.com> Subject: Re: IP Masquerading - Using NAT Date: Mon, 30 Oct 2000 12:22:53 -0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2314.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG While I absolutely agree that you should *not* be using only one interface here- It somewhat bothers me that natd gets confused if there's only one IF- Natd deals on the IP level right? So adding another alias to the single physical should fix natd's problems? -- -sex:blood:heaven- AIM: IMFDUP ----- Original Message ----- From: Crist J . Clark To: Daniel Ruthardt Cc: Sent: Monday, October 30, 2000 11:19 AM Subject: Re: IP Masquerading - Using NAT > On Mon, Oct 30, 2000 at 10:25:11AM +0100, Daniel Ruthardt wrote: > > [snip] > > > Here are the informations you need to help me: > > > > $ cat /etc/rc.conf > > > > # This file now contains just the overrides from /etc/defaults/rc.conf > > # please make all changes to this file. > > > > keymap="german.iso" > > gateway_enable="YES" > > hostname="dowee.com" > > firewall_enable="YES" > > firewall_type="OPEN" > > natd_interface="xl0" > > natd_enable="YES" > > ifconfig_xl0="DHCP" > > ifconfig_xl0_alias0="inet 192.0.0.1 netmask 255.255.255.0" > > > > $ fgrep 'IP packet filtering' /var/run/dmesg.boot > > > > IP packet filtering initialized, divert enabled, rule-based forwarding > > disabled, > > default to deny, logging disabled > > > > $ ifconfig -a > > > > xl0: flags=8843 mtu 1500 > > inet6 fe80::250:4ff:fe4d:3695%xl0 prefixlen 64 scopeid 0x1 > > inet 212.186.196.204 netmask 0xffffff00 broadcast 212.186.196.255 > > inet 192.0.0.1 netmask 0xffffff00 broadcast 192.0.0.255 > > ether 00:50:04:4d:36:95 > > media: 10baseT/UTP (10baseT/UTP ) > > supported media: 10baseT/UTP 10baseT/UTP > > 10b > > aseT/UTP > > [snip] > > > $ ipfw show > > > > 00100 3064 945994 divert 8668 ip from any to any via xl0 > > 00100 0 0 allow ip from any to any via lo0 > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 65000 3064 945994 allow ip from any to any > > 65535 2 656 deny ip from any to any > > > > Hope the information tells you what i've done wrong (-: > > Looks pretty good except for one big problem, you are trying to use a > single interface. natd(8) is designed to be used with multiple > interfaces. It does not work well with one. Each packet will go > through natd(8) twice and this tends to really confuse it. > > There are other problems with this scheme. First, if you were planning > to later add firewall rules for security, they will offer little > protection since your machines are still naked on the net. Second, you > are likely going to be leaking your "private" address traffic onto > your LAN (and from there who knows where it may get routed). You will > be one of those guys who causes all those people to mail the list > asking why they are getting arp error messages about machines responding > on the wrong interface. > -- > Crist J. Clark cjclark@alum.mit.edu > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message