From owner-freebsd-doc  Fri Dec  4 08:03:57 1998
Return-Path: <owner-freebsd-doc@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id IAA16362
          for freebsd-doc-outgoing; Fri, 4 Dec 1998 08:03:57 -0800 (PST)
          (envelope-from owner-freebsd-doc@FreeBSD.ORG)
Received: from mrelay.jrc.it (mrelay.jrc.it [139.191.1.65])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id IAA16354
          for <freebsd-doc@freebsd.org>; Fri, 4 Dec 1998 08:03:51 -0800 (PST)
          (envelope-from dirk.vangulik@jrc.it)
Received: from jrc.it (elpc51.jrc.it [139.191.71.51])
	by mrelay.jrc.it (LMC5692) with ESMTP id QAA12053
	for <freebsd-doc@FreeBSD.ORG>; Fri, 4 Dec 1998 16:59:51 +0100 (MET)
Message-ID: <3668064E.5C28A67E@jrc.it>
Date: Fri, 04 Dec 1998 16:57:02 +0100
From: Dirk-Willem van Gulik <dirk.vangulik@jrc.it>
Organization: ISIS/STA - Joint Research Center of the European Commission
X-Mailer: Mozilla 4.5 [en] (Win95; I)
X-Accept-Language: en
MIME-Version: 1.0
To: freebsd-doc@FreeBSD.ORG
Subject: On natd.
Content-Type: multipart/mixed;
 boundary="------------27CFC13279DA8EBE05C26925"
Sender: owner-freebsd-doc@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

This is a multi-part message in MIME format.
--------------27CFC13279DA8EBE05C26925
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

I kind of wasted two hours on getting natd to work; it turned out
that the LKM was used, and as it does not get re-compiled with 
the IPDIVERT things kind of did not work.

For the customer I just wrote this bit of text. feel free to
abuse it for the FAQ, manual or manpage. I just found natd(8)
a bit thin on the ground with examples.

I am sure this can be improved; but currently there is very little
to copy from.

Dw.

-----
Item.	How to map a few IP addresses from the clients 'internal' 
	network onto one or more 'external' addresses.

0.	Throughout this example we have the following players:

	vx0	external interface; connected to 139.191.145.0/24
	xl0	internal interface; connected to 10.0.0.0/16

	10.0.x.y	'internal' machines
	139.191.145.x	'external' machines

	139.191.145.80	the machine which runs natd
	139.191.145.8x	x=1..9 free IP addresses.

1.	Follow the instructions in natd(8). In step 2, the kernel
	rebuild, be aware that most 2.2 and up systems use an
	LKM module. So you will have to recompile this module as
	well. So after adding the IPFIREWALL and IPDIVERT
	do something like:

		# configure the kernel. do NOT use '-n'
		#
		config MYKERNEL
		cd ../../compile/MYKERNEL

		# compile the kernel
		make && make install

		# recompile the LKM
		cd /usr/src/lkm/ipfw
		make & make install

1.	Create a small configuration file; /etc/natd.cf in
	which you put something like

	redirect_address  10.0.0.2  139.191.145.81
	redirect_address  10.0.2.4  139.191.145.82
	redirect_address  10.0.1.7  139.191.145.83
	
	I.e in this case we are making the machines 10.2,
	10.4 and 10.7 visible to the outside world in a
	contineous 81 to 83 range.

2.	Add a new firewall type in the rc.firwall file,

		#... just after the 'open'
		elif [ "${firewall_type}" = "natd" ]; then

        	/sbin/ipfw add divert natd all from any to any via vx0
	        /sbin/ipfw add pass all from any to any

		elif [ "${firewall_type}" = "client" ]; then
		....

3.	Specify this firewall in the rc.conf

		firewall_enable="YES"           # Set to YES to enable firewall
functionality
		firewall_type="natd"             # Firewall type (see
/etc/rc.firewall)

4.	And start natd, for example from your rc.local

	if [ -f /etc/natd.cf && -x /usr/sbin/natd ]; then
		outside_if = vx0
        	/usr/sbin/natd -f /etc/natd.cf -interface $outside_if \
			&& echo -n ' natd'
 	
5.	If you are masqurading hosts onto the external
	site, as in the above example, you will have
	to add the 'alias' to the external interface.

	You could use something like this:

		# add the external address from the natd.cf mapping file
		# to the aliases for our primary interface
		#
	        strangers=`grep ^redirect_address /etc/natd.cf | awk '{ print
$3 }'`
	
	        for alien in $strangers; do
        	        ifconfig $outside_if inet $alien netmask 0xffffff00
alias
                	done

	       	fi

Dw.
--------------27CFC13279DA8EBE05C26925
Content-Type: text/x-vcard; charset=us-ascii;
 name="Dirk.VanGulik.vcf"
Content-Description: Card for Dirk-Willem van Gulik
Content-Disposition: attachment;
 filename="Dirk.VanGulik.vcf"
Content-Transfer-Encoding: 7bit

begin:vcard 
n:van Gulik;Dirk-Willem
tel;fax:+39 0332 78 9185
tel;work:+39 0332 78 9549
x-mozilla-html:FALSE
url:http://me-www.jrc.it/~dirkx
org:Joint Research Center of the European Commission;Software Technology and Applications, Institute for Systems, Informatics and Security
version:2.1
email;internet:Dirk.vanGulik@jrc.it
title:Mr
adr;quoted-printable:;;TP 270 - ISIS/STA=0D=0AJoint Resarch Center;Ispra;VA;21020;Italy
x-mozilla-cpt:;0
fn:Dirk-Willem van Gulik
end:vcard

--------------27CFC13279DA8EBE05C26925--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message