Date: Fri, 24 Sep 1999 05:59:09 +0200 (CEST) From: Martin Welk <mw@freibergnet.de> To: Joe Gleason <freebsd.list@bug.tasam.com> Cc: stable@FreeBSD.ORG, Ed Shoro <ed@pdqnet.com> Subject: Re: Natd Message-ID: <XFMail.990924055909.mw@freibergnet.de> In-Reply-To: <015e01bf0626$26ca9dc0$256b52c6@tasam.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 24-Sep-99 Joe Gleason wrote:
() That will be a tricky one, because PC anywhere uses some UDP packets to
() establish the connection as well as the TCP connection. As far as the
() natd setup, all I can say is man natd.
You can configure natd in two ways: to redirect defined UDP and TCP ports
for defined addresses to the same or different UDP or TCP ports on one or
many machines. This is sometimes tricky.
A good starting point is always to read the documentation, especially
ipfirewall(4), ipfw(8), natd(8) and sometimes dummynet(4) to read more
about how the firewall code works and for better and deeper under-
standing. For NAT, you don't need dummynet, but the documentation is
also interesting.
Build a kernel including IPDIVERT, IPFIREWALL and what else you want (look
at the documentation again, and look at the LINT file).
Use the log function of the ipfirewall to see which UDP and TCP ports PC
Anywhere needs, if you can't find anything in the PC Anywhere documentation.
Check carefully, if it works with a connection to a static port or from a
static port or what ever, and then start build a natd configuration and
an ipfw configuration.
Some examples, fragments from a working setup I changed a little:
First, we define an alias address on the "world" interface, which is not
necessary, but leaves us open to use any ports on the "real" (gateway)
machine:
ifconfig x0 inet a.b.c.d netmask m.n.o.p
ifconfig x0 alias a.b.c.d+1 netmask m.n.o.p
ifconfig x1 alias e.f.g.h netmask q.r.s.t
...and let's assume that your internal host ist e.f.g.h+1
(Usually, you do this in /etc/rc.conf.)
Some natd configuration:
port 8668
deny_incoming no
alias_address a+b+c+d (*)
redirect_address e.f.g.h+1 a.b.c.d+1 (**)
(*) This will be the alias address natd uses for connections coming from
the LAN interface (x1) to foreign hosts. It depends on your setup,
which one makes more sense - I'm using a second x0 alias for this
purpose
(**) You can also use the redirect_port command to redirect special
services. I hardly recommend this especially if there's a Windows
box behind the NAT host. Take care, natd uses a syntax like
"local_addr public_addr", not vice versa, which would have
expected. Read the man page :-)
Some ipfw configuration:
ipfw add n allow all from any to a.b.c.d
ipfw add n++ divert 8668 all from any to a.b.c.d+1
ipfw add n++ divert 8668 all from e.f.h.h+1 to any
ipfw add n++ allow all from any to any
With this fragments you should be able to build a setup with which you
can reach your Windows box with the alias IP from the outside. I think
this is a good starting point for understanding what the firewall does.
From now, you have to trigger it so that it does exactly as you need,
I mean, redirect special ports and so on. Use the logging functions
of natd, ipfirewall and perhaps a tcpdump to find out what happens
on your network. This will give you enough diagnostics information
to see what firewall rule still is missing or what the software you're
using needs in addition.
Have fun :-)
Regards,
Martin
--
FreibergNet Systemhaus GbR Martin Welk * Sales, Support
Systemhaus für Daten- und Netzwerktechnik phone +49 3731 781387
Unternehmensgruppe Liebscher & Partner fax +49 3731 781377
D-09599 Freiberg * Am St. Niclas Schacht 13 http://www.freibergnet.de/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.990924055909.mw>