From owner-freebsd-questions  Fri May  5 22:29:34 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from workhorse.iMach.com (workhorse.iMach.com [206.127.77.89])
	by hub.freebsd.org (Postfix) with ESMTP id 4335E37B8FF
	for <questions@FreeBSD.ORG>; Fri,  5 May 2000 22:29:27 -0700 (PDT)
	(envelope-from forrestc@IMACH.COM)
Received: from localhost (forrestc@localhost)
	by workhorse.iMach.com (8.9.3/8.9.3) with ESMTP id WAA28776
	for <questions@FreeBSD.ORG>; Fri, 5 May 2000 22:29:00 -0600 (MDT)
Date: Fri, 5 May 2000 22:28:59 -0600 (MDT)
From: "Forrest W. Christian" <forrestc@iMach.com>
To: questions@FreeBSD.ORG
Subject: Re: NATD Configuration.
In-Reply-To: <Pine.BSF.4.21.0005051943020.27250-100000@workhorse.iMach.com>
Message-ID: <Pine.BSF.4.21.0005052221410.28710-100000@workhorse.iMach.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

I just love answering my own questions.... But for the archive...

On Fri, 5 May 2000, Forrest W. Christian wrote:

> I have an interesting NATD configuration problem.
> 
> I currently have a machine running a version of 3-STABLE with three
> interfaces:
> 
>   interface wi0 - WaveLAN Interface to the Internet
>   interface ed0 - "Private" ethernet segment - 192.168.1.x
>   interface ed1 - "Public" ethernet segement - 206.127.x.x
> 
> The goal is to have ed0 sit behind the functionality of natd not only for
> the address translation benefits but also for security and to have the ed1
> interface essentially "wide open".

Adding a second divert ala:  (these might be slightly mangled)

ipfw add 100 divert natd ip from any to any via wi0
ipfw add 100 divert natd ip from any to any via ed1

Has the desired effect.  This forces not only traffic from wi0 to be
diverted/nat'ed but also traffic from ed1.

-unregistered_only (natd option) is required.   Additional filters
(recommended) for wi0 and ed1 to drop "unnat'd" traffic to/from
192.168.1.x are left as an exercise for the reader.

- Forrest W. Christian (forrestc@imach.com) KD7EHZ
----------------------------------------------------------------------
iMach, Ltd., P.O. Box 5749, Helena, MT 59604      http://www.imach.com
Solutions for your high-tech problems.                  (406)-442-6648
----------------------------------------------------------------------



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message