Date: Tue, 17 Aug 1999 23:18:29 -0400 From: "James Gill" <gill@topsecret.net> To: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG> Subject: RE: pls examine my rc.natd Message-ID: <NDBBJDFMIMOCFNNCEKADKEAICPAA.gill@topsecret.net> In-Reply-To: <NDBBJDFMIMOCFNNCEKADMEACCPAA.gill@topsecret.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I guess I should mention that with this in place (and kernel lines
added in per the book), packets directed to port 25 on the firewall do
not get forwarded to .33:25 but instead wind up in the firewall.
same thing with other ports.
Also, I had set this up with natd interface as ed0, but then no
traffic passed (?)
tia
>
> from what I can deduce from the handbook and from Lehy's book what I
> have here should work, but if it were I wouldn't be writing
> this. If
> someone would be kind enough to give this a look i'd be very
> appreciative.
>
> Here's my rc.conf:
> =============================================
> # This file now contains just the overrides from
> /etc/defaults/rc.conf
> # please make all changes to this file.
>
> # revision 19990816 23:33
> # revisor gill@topsecret.net
>
> hostname="{kludged_for_paranoia}"
> releaseName="{releaseName}"
> tcp_extensions="YES"
>
> ### FIREWALL AND NATD CONFIG ###
> firewall_enable="YES"
> firewall_type="open"
>
> natd_program="/sbin/natd"
> natd_enable="YES" #firewall_enable must also be set to yes
> # #and ipdivert must also be in kernel
> natd_interface="ed1"
> natd_flags="-f /etc/rc.natd"
>
> #named_enable="YES" #named is already working fine but
> the command to
> #start it should be moved here
> #named_program="{/path/to/named}" #default /usr/sbin/named
> #named_flags=""
>
> #syslogd_enable="yes" #i thought the system logger was already
> working?!
>
> ntpdate_enable="YES"
> ntpdate_flags="ncar.ucar.edu"
>
> network_interfaces="ed0 ed1 lo0"
> ifconfig_ed0="inet 10.101.101.2 netmask 255.255.255.192"
> ifconfig_ed1="inet 10.101.101.129 netmask 255.255.255.192"
> defaultrouter="10.101.101.1"
>
> gateway_enable="YES" #does this still need to be here?
>
> #static_routes="route_int route_ext" #list of static routes
> #route_int="-net 10.101.101.0 10.101.101.129"
> #route_ext="-net 10.101.101.128 10.101.101.2"
>
> ### CONSOLE ENVIRONMENT CONFIG ###
> saver="star"
> blanktime="300"
> =============================================
>
> Here's my rc.natd:
> =============================================
> #!/bin/sh
>
> # natd.conf
> # configuration file for network address translation program
> # version 0.3
> # 1999/08/17
> # gill@topsecret.net
> ###################################################################
> # specicify this file by using the commandline jargon:
> # natd -config /etc/natd.conf
> ###################################################################
>
> # turn on logging, might turn off once the system is
> running smoothly
> # logs to /var/log/alias.log and is truncated each time natd is
> started
> log yes
>
> # deny packets destined for the current IP number
> # that have no entry in the internal translation table
> #deny_incoming yes
>
> # log denied packets via syslog
> log_denied yes
>
> # see syslog.conf(5) for facility names
> #log_facility {facility_name}
>
> # from natd manpage: "Allocate a socket(2) in order to establish an
> # FTP data or IRC DCC send connection. This option uses more system
> # resources, but garuntees successful connections whe port numbers
> confilict.
> #use_sockets yes
>
> # from natd manpage: "Try to keep the same port number when altering
> outgoing
> # packets. With this option, protocols such as RPC will
> have a better
> chance
> # of working. If it is not possible to maintain the port number, it
> will be
> # silently changed as per normal.
> #same_ports yes
>
> # FOR DEBUGGING: stay attached to the controlling terminal
> # and display all packet output to the stdout
> #verbose yes
>
> # Only alter outgoing packets with a 10.0.0.0/8, 172.16.0.0/12, or a
> # 192.168.0.0/16 address
> #unregistered_only yes
>
> ### redirected ports ###
> # redirect_port proto tergetIP:targetPORT [aliasIP:]aliasPORT \
> # [remoteIP[:remotePORT]]
> # example: redirect_port tcp inside1:telnet 6666
> # means that tcp packets destines for port 6666 on this machine will
> be sent
> # to the telnet port on the inside1 machine
> #redirect_port
> redirect_port tcp 10.101.101.33:21 21 #ftp
> redirect_port tcp 10.101.101.131:23 23 #telnet
> redirect_port tcp 10.101.101.33:25 25 #smtp
> redirect_port tcp 10.101.101.33:80 80 #www-tcp
> redirect_port udp 10.101.101.33:80 80 #www-udp
> redirect_port tcp 10.101.101.33:110 110 #pop3-tcp
> redirect_port udp 10.101.101.33:110 110 #pop3-udp
> #redirect_port tcp 123 #ntp
>
>
> #anything below here is commented anyway, snipped for bandwidth...
>
> =============================================
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBJDFMIMOCFNNCEKADKEAICPAA.gill>