From owner-freebsd-questions@FreeBSD.ORG  Tue May  4 09:50:10 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6C0C416A4CE
	for <freebsd-questions@FreeBSD.ORG>;
	Tue,  4 May 2004 09:50:10 -0700 (PDT)
Received: from above.proper.com (above.proper.com [208.184.76.39])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0ABF743D46
	for <freebsd-questions@FreeBSD.ORG>;
	Tue,  4 May 2004 09:50:08 -0700 (PDT)
	(envelope-from phoffman@proper.com)
Received: from [10.20.30.249] (dsl2-63-249-109-252.cruzio.com
	[63.249.109.252])	(authenticated bits=0)
	by above.proper.com (8.12.11/8.12.9) with ESMTP id i44Go2xl096273
	for <freebsd-questions@FreeBSD.ORG>;
	Tue, 4 May 2004 09:50:04 -0700 (PDT)
	(envelope-from phoffman@proper.com)
Mime-Version: 1.0
X-Sender: phoffprop@mail.proper.com
Message-Id: <p06100510bcbd7891d439@[10.20.30.249]>
In-Reply-To: <200405011813.i41IDOCh083041@above.proper.com>
References: <200405011813.i41IDOCh083041@above.proper.com>
Date: Tue, 4 May 2004 09:50:05 -0700
To: freebsd-questions@FreeBSD.ORG
From: Paul Hoffman <phoffman@proper.com>
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Subject: RE: Setting up a NAT without a firewall
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 04 May 2004 16:50:10 -0000

Off-list, someone pointed out to me that ipnat is *much* easier to 
deal with than IPFIREWALL and all its baggage. No kernel rebuilding, 
no juggling with the firewall. Nice. For those of you in the same 
situation as me, definitely look into ipnat.

My system gets its external address from my ISP's DHCP server on 
interface em0. The machines in my house are connected to a switch 
that is attached to itnerface rl0.

Relevant stuff in /etc/rc.conf:

ifconfig_em0="DHCP"
ifconfig_rl0="inet 10.20.30.1 netmask 255.255.255.0"
gateway_enable="YES"
ipfilter_enable="YES"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.conf"

Contents of /etc/ipnat.conf:

map em0 10.20.30.0/24 -> 0/32

Two notes not covered in the ipnat man pages:

- The man page doesn't say which interface name you use in the map 
statement; it's the external interface.

- If you get your external IP address from DHCP, you can use "0/32" 
as the target. This is very handy.

--Paul Hoffman