Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 30 Oct 2000 11:19:46 -0800
From:      "Crist J . Clark" <cjclark@reflexnet.net>
To:        Daniel Ruthardt <ruthardt@chello.at>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: IP Masquerading - Using NAT
Message-ID:  <20001030111946.A3675@149.211.6.64.reflexcom.com>
In-Reply-To: <KDEOJJLADGAOLHAHFGMKCEDBCBAA.ruthardt@chello.at>; from ruthardt@chello.at on Mon, Oct 30, 2000 at 10:25:11AM %2B0100
References:  <20001029143205.X75251@149.211.6.64.reflexcom.com> <KDEOJJLADGAOLHAHFGMKCEDBCBAA.ruthardt@chello.at>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 30, 2000 at 10:25:11AM +0100, Daniel Ruthardt wrote:

[snip]

> Here are the informations you need to help me:
> 
>   $ cat /etc/rc.conf
> 
> # This file now contains just the overrides from /etc/defaults/rc.conf
> # please make all changes to this file.
> 
> keymap="german.iso"
> gateway_enable="YES"
> hostname="dowee.com"
> firewall_enable="YES"
> firewall_type="OPEN"
> natd_interface="xl0"
> natd_enable="YES"
> ifconfig_xl0="DHCP"
> ifconfig_xl0_alias0="inet 192.0.0.1 netmask 255.255.255.0"
> 
>   $ fgrep 'IP packet filtering' /var/run/dmesg.boot
> 
> IP packet filtering initialized, divert enabled, rule-based forwarding
> disabled,
>  default to deny, logging disabled
> 
>   $ ifconfig -a
> 
> xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet6 fe80::250:4ff:fe4d:3695%xl0 prefixlen 64 scopeid 0x1
>         inet 212.186.196.204 netmask 0xffffff00 broadcast 212.186.196.255
>         inet 192.0.0.1 netmask 0xffffff00 broadcast 192.0.0.255
>         ether 00:50:04:4d:36:95
>         media: 10baseT/UTP (10baseT/UTP <half-duplex>)
>         supported media: 10baseT/UTP <full-duplex> 10baseT/UTP <half-duplex>
> 10b
> aseT/UTP

[snip]

>   $ ipfw show
> 
> 00100 3064 945994 divert 8668 ip from any to any via xl0
> 00100    0      0 allow ip from any to any via lo0
> 00200    0      0 deny ip from any to 127.0.0.0/8
> 65000 3064 945994 allow ip from any to any
> 65535    2    656 deny ip from any to any
> 
> Hope the information tells you what i've done wrong (-:

Looks pretty good except for one big problem, you are trying to use a
single interface. natd(8) is designed to be used with multiple
interfaces. It does not work well with one. Each packet will go
through natd(8) twice and this tends to really confuse it.

There are other problems with this scheme. First, if you were planning
to later add firewall rules for security, they will offer little
protection since your machines are still naked on the net. Second, you
are likely going to be leaking your "private" address traffic onto
your LAN (and from there who knows where it may get routed). You will
be one of those guys who causes all those people to mail the list
asking why they are getting arp error messages about machines responding
on the wrong interface.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001030111946.A3675>