From owner-freebsd-net Tue Dec 4 12:18:18 2001 Delivered-To: freebsd-net@freebsd.org Received: from d13225.upc-d.chello.nl (d13225.upc-d.chello.nl [213.46.13.225]) by hub.freebsd.org (Postfix) with ESMTP id 9CEAF37B416 for ; Tue, 4 Dec 2001 12:18:14 -0800 (PST) Received: from adv.devet.org (adv.devet.org [192.168.1.2]) by d13225.upc-d.chello.nl (Postfix) with ESMTP id D82CE689D; Tue, 4 Dec 2001 21:18:12 +0100 (CET) Received: by adv.devet.org (Postfix, from userid 100) id 1B7604EEE; Tue, 4 Dec 2001 21:18:08 +0100 (CET) Date: Tue, 4 Dec 2001 21:18:08 +0100 To: veedee@c7.campus.utcluj.ro Cc: net@freebsd.org Subject: Re: ipnat Message-ID: <20011204211807.A95642@adv.devet.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20011204210510.A1833@c7.campus.utcluj.ro> User-Agent: Mutt/1.3.22.1i X-Newsgroups: list.freebsd.net Organization: Eindhoven, the Netherlands From: devet@devet.org (Arjan de Vet) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article <20011204210510.A1833@c7.campus.utcluj.ro> you write: ># allow everything to the another building >add allow ip from any to 172.27.40.0/23 >add divert natd ip from any to any via xl0 >add allow ip from any to any I'm not familiar with natd but I guess this means that traffic towards 172.27.40.0/23 should not be NATted but the rest should. >my internal network is 172.27.0.0/23 and the network in the other building is >172.27.40.0/23. Their configuration is correct as they are able to >masquerade with another building succesfully. Now, what we were doing is >allow our workstations to use their services one with another. So a station >from the other building (let's say 172.27.40.133) was able to ftp, telnet, >ssh to a station in my building (for instance 172.27.1.5). So what was sent >to the other building was sent "un-masqueraded" (the divert rule came after allow). Also >we had to add a route like: >"route add -net 172.27.40.0 otherbuilding 255.255.254.0". > >-- ipnat.rules -- >map xl0 172.27.0.0/23 -> x.x.x.x/32 proxy port ftp ftp/tcp >map xl0 from 172.27.0.0/23 to any -> x.x.x.x/32 Try something like this: map xl0 from 172.27.0.0/23 to 172.27.40.0/23 -> 0/0 proxy port ftp ftp/tcp map xl0 from 172.27.0.0/23 to 172.27.40.0/23 -> 0/0 map xl0 from 172.27.0.0/23 to any -> x.x.x.x/32 proxy port ftp ftp/tcp map xl0 from 172.27.0.0/23 to any -> x.x.x.x/32 0/0 is a special directive to indicate that no NAT-ing should take place (0/32 is shorthand for the current IP address of the xl0 interface, useful if that address is obtained via DHCP). The first two rules say that traffic from 172.27.0.0/23 towards 172.27.40.0/23 should not be natted (but the kernel ftp proxy is still used in this case). The rest will be NAT-ed to x.x.x.x. >-- rc.conf -- >ipfilter_enable="YES" >ipfilter_program="/sbin/ipf -Fa -f" >ipfilter_flags="" >ipfilter_rules="/etc/ipf.rules" >ipnat_enable="YES" >ipnat_program="/sbin/ipnat -CF -f" >ipnat_rules="/etc/ipnat.rules" >ipmon_enable="YES" >ipmon_program="/sbin/ipmon" >ipmon_flags="-Ds" You only need the _enable variables here. >Dunno what more to say... does anyone have any ideas? Have I forgotten >something or is ipnat dumber than natd? Nope :) Arjan -- Arjan de Vet, Eindhoven, The Netherlands URL : http://www.iae.nl/users/devet/ Work: http://www.madison-gurkha.com/ (Security, Open Source, Education) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message