From owner-freebsd-hackers@FreeBSD.ORG Fri Jul 25 17:20:43 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5AC2037B401 for ; Fri, 25 Jul 2003 17:20:43 -0700 (PDT) Received: from cultdeadsheep.org (charon.cultdeadsheep.org [80.65.226.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 88BEF43FA3 for ; Fri, 25 Jul 2003 17:20:41 -0700 (PDT) (envelope-from sheepkiller@cultdeadsheep.org) Received: (qmail 57741 invoked from network); 26 Jul 2003 00:20:39 -0000 Received: from unknown (HELO chuck.cultdeadsheep.org) (192.168.0.12) by goofy.cultdeadsheep.org with SMTP; 26 Jul 2003 00:20:39 -0000 Date: Sat, 26 Jul 2003 02:22:05 +0200 From: Clement Laforet To: durham@jcdurham.com Message-Id: <20030726022205.452c374f.sheepkiller@cultdeadsheep.org> In-Reply-To: <200307251349.38413.durham@jcdurham.com> References: <200307251349.38413.durham@jcdurham.com> Organization: tH3 cUlt 0f tH3 d3@d sH33p X-Mailer: Sylpheed version 0.9.3 (GTK+ 1.2.10; i386-portbld-freebsd5.1) X-Face: ._cVVRDn#-2((lnfi^P7CoD4htI$4+#G/G)!w|,}H5yK~%(3-C.JlEYbOjJGFwJkt*7N^%z jYeu[;}]}F"3}l5R'l"X0HbvT^D\Q&%deCo)MayY`);TO Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-hackers@freebsd.org Subject: Re: NATD and Address Redirection X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jul 2003 00:20:43 -0000 On Fri, 25 Jul 2003 13:49:38 -0400 Jim Durham wrote: Hi, > I'm wondering about the characteristics of the redirect_address option > > of natd. I tried this on -questions, but no one replied, so I thought > I'd ask on here, hoping to find folks more familiar with kernel > mechanisms here. Except for DIVERT, there isn't any kernel mechanisms for address translatation. > Consider a FreeBSD NAT "gateway" between a public IP on one network > interface and a private "LAN" address on the 2nd interface serving a > group of windows machines on the LAN with private IPS. > > We wanted to allow outside access to one of the LAN machines. > > According to the documentation, as I read it, redirect_address sets up > > a "static NAT" which is symmetrical between a public address on the > outside interface of a FreeBSD machine and a machine on a private IP > attached to the "inside" or "LAN" network interface. > > The procedure we used was to alias a 2nd public address to the outside > > interface and use a redirect_address statement in natd.conf to > redirect connections to the new public IP to the inside machine. > > This doesn't seem to be symmetrical. > > I'm questioning whether the connection is really symmetrical? for incoming traffic, you must use -redirect_address, but for outgoing you have to set -alias_address. If you want to use a specific public IP to map incoming AND outgoing packets, you need to run 2 natd, using ipfw matching. regards, clem