Date: Wed, 04 Mar 1998 21:27:57 -0800 From: Ludwig Pummer <ludwigp@bigfoot.com> To: djacobse@umdsun2.umd.umich.edu, freebsd-questions@FreeBSD.ORG Subject: Re: natd Message-ID: <3.0.3.32.19980304212757.00714514@mail.plstn1.sfba.home.com> In-Reply-To: <199803042150.VAA02906@0.ml.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 09:50 PM 3/4/98 GMT, djacobse@umdsun2.umd.umich.edu wrote:
>i'm having trouble getting natd to work, i have two ethernet devices, ed0
and ep0. i'm not sure
>how to do it (tho i have experience with linux ip_masquerading)
>but i switched to freebsd for stability and performance reasons.
>unfortunately i must have something like ip masqing or natd to work
>thank you for your help,
>doug jacobsen
>From the (2.2.5-R) natd man page (ahem ahem maybe you should RTFM next time):
The following steps are necessary before attempting to run natd:
1. Get FreeBSD version 2.2 or higher. Versions before this do not sup-
port divert(4) sockets.
2. Build a custom kernel with the following options:
options IPFIREWALL
options IPDIVERT
Refer to the handbook for detailed instructions on building a custom
kernel.
3. Ensure that your machine is acting as a gateway. This can be done
by specifying the line
gateway_enable=YES
in /etc/rc.conf, or using the command
sysctl -w net.inet.ip.forwarding=1
4. If you wish to use the -n or -interface flags, make sure that your
interface is already configured. If, for example, you wish to spec-
ify tun0 as your interface, and you're using ppp(8) on that inter-
face, you must make sure that you start ppp prior to starting natd.
5. Create an entry in /etc/services:
natd 6668/divert # Network Address Translation socket
This gives a default for the -p or -port flag.
Running natd is fairly straight forward. The line
natd -interface ed0
should suffice in most cases (substituting the correct interface name).
Once natd is running, you must ensure that traffic is diverted to natd:
1. You will need to adjust the /etc/rc.firewall script to taste. If
you're not interested in having a firewall, the following lines will
do:
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via ed0
/sbin/ipfw add pass all from any to any
The second line depends on your interface (change ed0 as appropri-
ate) and assumes that you've updated /etc/services with the natd en-
try as above. If you specify real firewall rules, it's best to
specify line 2 at the start of the script so that natd sees all
packets before they are dropped by the firewall. The firewall rules
will be run again on each packet after translation by natd, minus
any divert rules.
2. Enable your firewall by setting
firewall_enable=YES
in /etc/rc.conf. This tells the system startup scripts to run the
/etc/rc.firewall script. If you don't wish to reboot now, just run
this by hand from the console. NEVER run this from a virtual ses-
sion unless you put it into the background. If you do, you'll lock
yourself out after the flush takes place, and execution of
/etc/rc.firewall will stop at this point - blocking all accesses
permanently. Running the script in the background should be enough
to prevent this disaster.
--Ludwig Pummer
ludwigp@bigfoot.com ICQ UIN: 692441 http://chipweb.home.ml.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.3.32.19980304212757.00714514>