From owner-freebsd-questions@FreeBSD.ORG Wed Mar 19 20:02:51 2008 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F18B61065670 for ; Wed, 19 Mar 2008 20:02:51 +0000 (UTC) (envelope-from roberthuff@rcn.com) Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net [207.172.157.102]) by mx1.freebsd.org (Postfix) with ESMTP id A3F248FC1C for ; Wed, 19 Mar 2008 20:02:51 +0000 (UTC) (envelope-from roberthuff@rcn.com) Received: from mr08.lnh.mail.rcn.net ([207.172.157.28]) by smtp02.lnh.mail.rcn.net with ESMTP; 19 Mar 2008 16:02:50 -0400 Received: from smtp01.lnh.mail.rcn.net (smtp01.lnh.mail.rcn.net [207.172.4.11]) by mr08.lnh.mail.rcn.net (MOS 3.8.6-GA) with ESMTP id JUH29657; Wed, 19 Mar 2008 16:02:50 -0400 (EDT) Received: from 209-6-22-188.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com (HELO jerusalem.litteratus.org.litteratus.org) ([209.6.22.188]) by smtp01.lnh.mail.rcn.net with ESMTP; 19 Mar 2008 16:03:56 -0500 From: Robert Huff MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <18401.29043.824662.173177@jerusalem.litteratus.org> Date: Wed, 19 Mar 2008 16:02:59 -0400 To: questions@freebsd.org X-Mailer: VM 7.17 under 21.5 (beta28) "fuki" XEmacs Lucid X-Junkmail-Whitelist: YES (by domain whitelist at mr08.lnh.mail.rcn.net) Cc: Subject: confusion configuring NAT X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Mar 2008 20:02:52 -0000 I'm trying to get NAT going, and apparently failing to understand large parts of the concept, 1) Per the handbook I have added options IPFIREWALL options IPDIVERT to the kernel. 2) The firewall is active, and configured so it works for the machine itself. (Settings appended.) 3) I need to do translation for all machines on 10.0.0.0/8. 4) Working from the ipfw man page: ipfw add nat 10 all from any to any then ipfw nat 10 config log ip 10.0.0.0/8 Uh-oh: ipfw: bad ip address ``10.0.0.0/8'' OK, choose one machine. ipfw nat 10 config log ip 10.0.0.3 Accepted. 5) Now, start natd. (natd.conf appended) /sbin/natd -l -f /etc/natd.conf Nope: natd: instance default: aliasing address not given Huh? This has gotten a lot more coplicated since the last time. :-P Robert Huff #! /bin/sh IF=em0 OF=em1 ipfw add 100 pass all from any to any via lo0 ipfw add 200 deny all from any to 127.0.0.0/8 ipfw add 300 deny ip from 127.0.0.0/8 to any /bin/sleep 3 # for DHCP ipfw add 350 allow udp from any 67-68 to any 67-68 # close NetBios to outside contact /etc/ipfw.netbios.set # close RPC to outside contact /etc/ipfw.rpc.set # no outside SNMP /etc/ipfw.snmp.set # # no IRC # /etc/ipfw.irc.set # established connections are okay. ipfw add 10000 allow tcp from any to any established # let all stuff out ipfw add 10100 allow all from any to any out via $IF # internal connections are okay (assuming that 10.0.0.0/8 is your IP # ipfw address range internally) ipfw add 10200 allow tcp from 10.0.0.0/8 to any 80 # not starting natd here, in case it's already running # allow anything not previously forbidden ipfw add 65000 allow ip from any to any **************** natd.conf **************** instance 10 interface em0 same_ports yes log_ipfw_denied yes