Date: Sun, 10 Dec 2000 17:27:54 -0500 From: Lanny Baron <lnb@satan.freebsdsystems.com> To: Nash <nash@home.se> Cc: questions@FreeBSD.ORG Subject: Re: natd Message-ID: <20001210172754.D73046@satan.freebsdsystems.com> In-Reply-To: <000a01c062f6$e3066d60$026fa8c0@nash.hemmet.chalmers.se>; from nash@home.se on Sun, Dec 10, 2000 at 11:16:47PM %2B0100 References: <000a01c062f6$e3066d60$026fa8c0@nash.hemmet.chalmers.se>
next in thread | previous in thread | raw e-mail | index | archive | help
--udcq9yAoWb9A4FsZ
Content-Type: multipart/mixed; boundary="KlAEzMkarCnErv5Q"
Content-Disposition: inline
--KlAEzMkarCnErv5Q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi Nash,
I have included the natd man page. I hope it helps. I used to use natd but =
have not in some time.=20
Regards,
Lanny
On Sun, Dec 10, 2000 at 11:16:47PM +0100, Nash wrote:
> Hi,
>=20
> I wonder if someone can please tell me, who or what group it is that mana=
ges the "natd" deamons problems. I've been having a problem with my server,=
that I just can't seem to get rid of.
>=20
> Thank you beforehand,
> Nash/
--KlAEzMkarCnErv5Q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="natd.txt"
Content-Transfer-Encoding: quoted-printable
NATD(8) FreeBSD System Manager's Manual NATD(8)
N=08NA=08AM=08ME=08E
n=08na=08at=08td=08d - Network Address Translation Daemon
S=08SY=08YN=08NO=08OP=08PS=08SI=08IS=08S
n=08na=08at=08td=08d [-=08-u=08un=08nr=08re=08eg=08gi=08is=08st=08te=
=08er=08re=08ed=08d_=08_o=08on=08nl=08ly=08y | -=08-u=08u] [-=08-l=08lo=08o=
g=08g | -=08-l=08l] [-=08-p=08pr=08ro=08ox=08xy=08y_=08_o=08on=08nl=08ly=08=
y] [-=08-r=08re=08ev=08ve=08er=08rs=08se=08e]
[-=08-d=08de=08en=08ny=08y_=08_i=08in=08nc=08co=08om=08mi=08in=08ng=08g =
| -=08-d=08d] [-=08-u=08us=08se=08e_=08_s=08so=08oc=08ck=08ke=08et=08ts=08s=
| -=08-s=08s] [-=08-s=08sa=08am=08me=08e_=08_p=08po=08or=08rt=08ts=08s | -=
=08-m=08m]
[-=08-v=08ve=08er=08rb=08bo=08os=08se=08e | -=08-v=08v] [-=08-d=08dy=08y=
n=08na=08am=08mi=08ic=08c] [-=08-i=08in=08n_=08_p=08po=08or=08rt=08t | -=08=
-i=08i _=08p_=08o_=08r_=08t] [-=08-o=08ou=08ut=08t_=08_p=08po=08or=08rt=08t=
| -=08-o=08o
_=08p_=08o_=08r_=08t] [-=08-p=08po=08or=08rt=08t | -=08-p=08p _=08p_=08o=
_=08r_=08t] [-=08-a=08al=08li=08ia=08as=08s_=08_a=08ad=08dd=08dr=08re=08es=
=08ss=08s | -=08-a=08a _=08a_=08d_=08d_=08r_=08e_=08s_=08s]
[-=08-t=08ta=08ar=08rg=08ge=08et=08t_=08_a=08ad=08dd=08dr=08re=08es=08ss=
=08s | -=08-t=08t _=08a_=08d_=08d_=08r_=08e_=08s_=08s] [-=08-i=08in=08nt=08=
te=08er=08rf=08fa=08ac=08ce=08e | -=08-n=08n _=08i_=08n_=08t_=08e_=08r_=08f=
_=08a_=08c_=08e]
[-=08-p=08pr=08ro=08ox=08xy=08y_=08_r=08ru=08ul=08le=08e _=08p_=08r_=08o=
_=08x_=08y_=08s_=08p_=08e_=08c] [-=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=
=08t_=08_p=08po=08or=08rt=08t _=08l_=08i_=08n_=08k_=08s_=08p_=08e_=08c] [-=
=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_p=08pr=08ro=08ot=08to=08o
_=08l_=08i_=08n_=08k_=08s_=08p_=08e_=08c] [-=08-r=08re=08ed=08di=08ir=08=
re=08ec=08ct=08t_=08_a=08ad=08dd=08dr=08re=08es=08ss=08s _=08l_=08i_=08n_=
=08k_=08s_=08p_=08e_=08c] [-=08-c=08co=08on=08nf=08fi=08ig=08g | -=08-f=08f=
_=08c_=08o_=08n_=08f_=08i_=08g_=08f_=08i_=08l_=08e]
[-=08-l=08lo=08og=08g_=08_d=08de=08en=08ni=08ie=08ed=08d] [-=08-l=08lo=
=08og=08g_=08_f=08fa=08ac=08ci=08il=08li=08it=08ty=08y _=08f_=08a_=08c_=08i=
_=08l_=08i_=08t_=08y_=08__=08n_=08a_=08m_=08e] [-=08-p=08pu=08un=08nc=08ch=
=08h_=08_f=08fw=08w
_=08f_=08i_=08r_=08e_=08w_=08a_=08l_=08l_=08__=08r_=08a_=08n_=08g_=08e]
D=08DE=08ES=08SC=08CR=08RI=08IP=08PT=08TI=08IO=08ON=08N
This program provides a Network Address Translation facility for use w=
ith
divert(4) sockets under FreeBSD. It is intended for use with NICs - if
you want to do NAT on a PPP link, use the -=08-n=08na=08at=08t switch =
to ppp(8).
The n=08na=08at=08td=08d normally runs in the background as a daemon. =
It is passed raw
IP packets as they travel into and out of the machine, and will possib=
ly
change these before re-injecting them back into the IP packet stream.
It changes all packets destined for another host so that their source =
IP
number is that of the current machine. For each packet changed in this
manner, an internal table entry is created to record this fact. The
source port number is also changed to indicate the table entry applying
to the packet. Packets that are received with a target IP of the curr=
ent
host are checked against this internal table. If an entry is found, it
is used to determine the correct target IP number and port to place in
the packet.
The following command line options are available.
-=08-l=08lo=08og=08g | -=08-l=08l Log various aliasing statistics and=
information to the file
_=08/_=08v_=08a_=08r_=08/_=08l_=08o_=08g_=08/_=08a_=08l_=08i_=08a_=08s_=
=08._=08l_=08o_=08g. This file is truncated each time n=08na=08at=08td=08d =
is
started.
-=08-d=08de=08en=08ny=08y_=08_i=08in=08nc=08co=08om=08mi=08in=08ng=08g=
| -=08-d=08d
Do not pass packets destined for the current IP number that
have no entry in the internal translation table.
-=08-l=08lo=08og=08g_=08_d=08de=08en=08ni=08ie=08ed=08d
Log denied incoming packets via syslog(3) (see also
-=08-l=08lo=08og=08g_=08_f=08fa=08ac=08ci=08il=08li=08it=08ty=08y).
-=08-l=08lo=08og=08g_=08_f=08fa=08ac=08ci=08il=08li=08it=08ty=08y _=08=
f_=08a_=08c_=08i_=08l_=08i_=08t_=08y_=08__=08n_=08a_=08m_=08e
Use specified log facility when logging information via
syslog(3). Argument _=08f_=08a_=08c_=08i_=08l_=08i_=08t_=08y_=08__=08n_=
=08a_=08m_=08e is one of the keywords
specified in syslog.conf(5).
-=08-u=08us=08se=08e_=08_s=08so=08oc=08ck=08ke=08et=08ts=08s | -=08-s=
=08s
Allocate a socket(2) in order to establish an FTP data or IRC
DCC send connection. This option uses more system resources,
but guarantees successful connections when port numbers con-
flict.
-=08-s=08sa=08am=08me=08e_=08_p=08po=08or=08rt=08ts=08s | -=08-m=08m
Try to keep the same port number when altering outgoing pack-
ets. With this option, protocols such as RPC will have a
better chance of working. If it is not possible to maintain
the port number, it will be silently changed as per normal.
-=08-v=08ve=08er=08rb=08bo=08os=08se=08e | -=08-v=08v
Do not call daemon(3) on startup. Instead, stay attached to
the controling terminal and display all packet alterations to
the standard output. This option should only be used for de-
bugging purposes.
-=08-u=08un=08nr=08re=08eg=08gi=08is=08st=08te=08er=08re=08ed=08d_=08_=
o=08on=08nl=08ly=08y | -=08-u=08u
Only alter outgoing packets with an _=08u_=08n_=08r_=08e_=08g_=08i_=08s_=
=08t_=08e_=08r_=08e_=08d source ad-
dress. According to RFC 1918, unregistered source addresses
are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.
-=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_p=08po=08or=08rt=08t=
_=08p_=08r_=08o_=08t_=08o _=08t_=08a_=08r_=08g_=08e_=08t_=08I_=08P:_=08t_=
=08a_=08r_=08g_=08e_=08t_=08P_=08O_=08R_=08T[-_=08t_=08a_=08r_=08g_=08e_=08=
t_=08P_=08O_=08R_=08T]
[_=08a_=08l_=08i_=08a_=08s_=08I_=08P:]_=08a_=08l_=08i_=08a_=08s_=08P_=08=
O_=08R_=08T[-_=08a_=08l_=08i_=08a_=08s_=08P_=08O_=08R_=08T]
[_=08r_=08e_=08m_=08o_=08t_=08e_=08I_=08P[:_=08r_=08e_=08m_=08o_=08t_=08=
e_=08P_=08O_=08R_=08T[-_=08r_=08e_=08m_=08o_=08t_=08e_=08P_=08O_=08R_=08T]]]
Redirect incoming connections arriving to given port(s) to
another host and port(s). Argument _=08p_=08r_=08o_=08t_=08o is either =
_=08t_=08c_=08p or
_=08u_=08d_=08p, _=08t_=08a_=08r_=08g_=08e_=08t_=08I_=08P is the desired=
target IP number, _=08t_=08a_=08r_=08g_=08e_=08t_=08P_=08O_=08R_=08T is
the desired target port number or range, _=08a_=08l_=08i_=08a_=08s_=08P_=
=08O_=08R_=08T is the re-
quested port number or range, and _=08a_=08l_=08i_=08a_=08s_=08I_=08P is=
the aliasing ad-
dress. Arguments _=08r_=08e_=08m_=08o_=08t_=08e_=08I_=08P and _=08r_=08=
e_=08m_=08o_=08t_=08e_=08P_=08O_=08R_=08T can be used to
specify the connection more accurately if necessary. The
_=08t_=08a_=08r_=08g_=08e_=08t_=08P_=08O_=08R_=08T range and _=08a_=08l_=
=08i_=08a_=08s_=08P_=08O_=08R_=08T range need not be the same nu-
merically, but must have the same size. If _=08r_=08e_=08m_=08o_=08t_=
=08e_=08P_=08O_=08R_=08T is not
specified, it is assumed to be all ports. If _=08r_=08e_=08m_=08o_=08t_=
=08e_=08P_=08O_=08R_=08T is
specified, it must match the size of _=08t_=08a_=08r_=08g_=08e_=08t_=08P=
_=08O_=08R_=08T, or be 0 (all
ports). For example, the argument
_=08t_=08c_=08p _=08i_=08n_=08s_=08i_=08d_=08e_=081_=08:_=08t_=08e=
_=08l_=08n_=08e_=08t _=086_=086_=086_=086
means that incoming TCP packets destined for port 6666 on
this machine will be sent to the telnet port on the inside1
machine.
_=08t_=08c_=08p _=08i_=08n_=08s_=08i_=08d_=08e_=082_=08:_=082_=083=
_=080_=080_=08-_=082_=083_=089_=089 _=083_=083_=080_=080_=08-_=083_=083_=08=
9_=089
will redirect incoming connections on ports 3300-3399 to host
inside2, ports 2300-2399. The mapping is 1:1 meaning port
3300 maps to 2300, 3301 maps to 2301, etc.
-=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_p=08pr=08ro=08ot=08t=
o=08o _=08p_=08r_=08o_=08t_=08o _=08l_=08o_=08c_=08a_=08l_=08I_=08P [_=08p_=
=08u_=08b_=08l_=08i_=08c_=08I_=08P [_=08r_=08e_=08m_=08o_=08t_=08e_=08I_=08=
P]]
Redirect incoming IP packets of protocol _=08p_=08r_=08o_=08t_=08o (see
protocols(5)) destined for _=08p_=08u_=08b_=08l_=08i_=08c_=08I_=08P addr=
ess to a _=08l_=08o_=08c_=08a_=08l_=08I_=08P ad-
dress and vice versa.
If _=08p_=08u_=08b_=08l_=08i_=08c_=08I_=08P is not specified, then the d=
efault aliasing ad-
dress is used. If _=08r_=08e_=08m_=08o_=08t_=08e_=08I_=08P is specified=
, then only packets
coming from/to _=08r_=08e_=08m_=08o_=08t_=08e_=08I_=08P will match the r=
ule.
-=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_a=08ad=08dd=08dr=08r=
e=08es=08ss=08s _=08l_=08o_=08c_=08a_=08l_=08I_=08P _=08p_=08u_=08b_=08l_=
=08i_=08c_=08I_=08P
Redirect traffic for public IP address to a machine on the
local network. This function is known as _=08s_=08t_=08a_=08t_=08i_=08c=
_=08N_=08A_=08T. Normal-
ly static NAT is useful if your ISP has allocated a small
block of IP addresses to you, but it can even be used in the
case of single address:
_=08r_=08e_=08d_=08i_=08r_=08e_=08c_=08t_=08__=08a_=08d_=08d_=08r_=
=08e_=08s_=08s _=081_=080_=08._=080_=08._=080_=08._=088 _=080_=08._=080_=08=
._=080_=08._=080
The above command would redirect all incoming traffic to ma-
chine 10.0.0.8.
If several address aliases specify the same public address as
follows
_=08r_=08e_=08d_=08i_=08r_=08e_=08c_=08t_=08__=08a_=08d_=08d_=08r_=
=08e_=08s_=08s _=081_=089_=082_=08._=081_=086_=088_=08._=080_=08._=082 _=08=
p_=08u_=08b_=08l_=08i_=08c_=08__=08a_=08d_=08d_=08r
_=08r_=08e_=08d_=08i_=08r_=08e_=08c_=08t_=08__=08a_=08d_=08d_=08r_=
=08e_=08s_=08s _=081_=089_=082_=08._=081_=086_=088_=08._=080_=08._=083 _=08=
p_=08u_=08b_=08l_=08i_=08c_=08__=08a_=08d_=08d_=08r
_=08r_=08e_=08d_=08i_=08r_=08e_=08c_=08t_=08__=08a_=08d_=08d_=08r_=
=08e_=08s_=08s _=081_=089_=082_=08._=081_=086_=088_=08._=080_=08._=084 _=08=
p_=08u_=08b_=08l_=08i_=08c_=08__=08a_=08d_=08d_=08r
the incoming traffic will be directed to the last translated
local address (192.168.0.4), but outgoing traffic from the
first two addresses will still be aliased to appear from the
specified _=08p_=08u_=08b_=08l_=08i_=08c_=08__=08a_=08d_=08d_=08r.
-=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_p=08po=08or=08rt=08t=
_=08p_=08r_=08o_=08t_=08o _=08t_=08a_=08r_=08g_=08e_=08t_=08I_=08P:_=08t_=
=08a_=08r_=08g_=08e_=08t_=08P_=08O_=08R_=08T[,_=08t_=08a_=08r_=08g_=08e_=08=
t_=08I_=08P:_=08t_=08a_=08r_=08g_=08e_=08t_=08P_=08O_=08R_=08T[,_=08._=08._=
=08.]]
[_=08a_=08l_=08i_=08a_=08s_=08I_=08P:]_=08a_=08l_=08i_=08a_=08s_=08P_=08=
O_=08R_=08T [_=08r_=08e_=08m_=08o_=08t_=08e_=08I_=08P[:_=08r_=08e_=08m_=08o=
_=08t_=08e_=08P_=08O_=08R_=08T]]
-=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_a=08ad=08dd=08dr=08r=
e=08es=08ss=08s _=08l_=08o_=08c_=08a_=08l_=08I_=08P[,_=08l_=08o_=08c_=08a_=
=08l_=08I_=08P[,_=08._=08._=08.]] _=08p_=08u_=08b_=08l_=08i_=08c_=08I_=08P
These forms of -=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_p=08po=
=08or=08rt=08t and -=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_a=08ad=
=08dd=08dr=08re=08es=08ss=08s are used
to transparently offload network load on a single server and
distribute the load across a pool of servers. This function
is known as _=08L_=08S_=08N_=08A_=08T (RFC 2391). For example, the argum=
ent
_=08t_=08c_=08p _=08w_=08w_=08w_=081_=08:_=08h_=08t_=08t_=08p_=08,=
_=08w_=08w_=08w_=082_=08:_=08h_=08t_=08t_=08p_=08,_=08w_=08w_=08w_=083_=08:=
_=08h_=08t_=08t_=08p _=08w_=08w_=08w_=08:_=08h_=08t_=08t_=08p
means that incoming HTTP requests for host www will be trans-
parently redirected to one of the www1, www2 or www3, where a
host is selected simply on a round-robin basis, without re-
gard to load on the net.
-=08-d=08dy=08yn=08na=08am=08mi=08ic=08c If the -=08-n=08n or -=08-i=
=08in=08nt=08te=08er=08rf=08fa=08ac=08ce=08e option is used, n=08na=08at=08=
td=08d will monitor the
routing socket for alterations to the _=08i_=08n_=08t_=08e_=08r_=08f_=08=
a_=08c_=08e passed. If
the interface's IP number is changed, n=08na=08at=08td=08d will dynamica=
lly
alter its concept of the alias address.
-=08-i=08in=08n_=08_p=08po=08or=08rt=08t | -=08-i=08i _=08p_=08o_=08r_=
=08t
Read from and write to _=08p_=08o_=08r_=08t, treating all packets as pac=
kets
coming into the machine.
-=08-o=08ou=08ut=08t_=08_p=08po=08or=08rt=08t | -=08-o=08o _=08p_=08o_=
=08r_=08t
Read from and write to _=08p_=08o_=08r_=08t, treating all packets as pac=
kets
going out of the machine.
-=08-p=08po=08or=08rt=08t | -=08-p=08p _=08p_=08o_=08r_=08t
Read from and write to _=08p_=08o_=08r_=08t, distinguishing packets as i=
ncom-
ing our outgoing using the rules specified in divert(4). If
_=08p_=08o_=08r_=08t is not numeric, it is searched for in the services(=
5)
database. If this option is not specified, the divert port
named _=08n_=08a_=08t_=08d will be used as a default.
-=08-a=08al=08li=08ia=08as=08s_=08_a=08ad=08dd=08dr=08re=08es=08ss=08s=
| -=08-a=08a _=08a_=08d_=08d_=08r_=08e_=08s_=08s
Use _=08a_=08d_=08d_=08r_=08e_=08s_=08s as the aliasing address. If thi=
s option is not
specified, the -=08-i=08in=08nt=08te=08er=08rf=08fa=08ac=08ce=08e option=
must be used. The specified
address is usually the address assigned to the public network
interface.
All data passing _=08o_=08u_=08t will be rewritten with a source address
equal to _=08a_=08d_=08d_=08r_=08e_=08s_=08s. All data coming _=08i_=08n=
will be checked to see
if it matches any already-aliased outgoing connection. If it
does, the packet is altered accordingly. If not, all
-=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_p=08po=08or=08rt=08t, =
-=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_p=08pr=08ro=08ot=08to=08o=
and -=08-r=08re=08ed=08di=08ir=08re=08ec=08ct=08t_=08_a=08ad=08dd=08dr=08r=
e=08es=08ss=08s assign-
ments are checked and actioned. If no other action can be
made and if -=08-d=08de=08en=08ny=08y_=08_i=08in=08nc=08co=08om=08mi=08i=
n=08ng=08g is not specified, the packet is
delivered unaltered to the local machine and port as speci-
fied in the packet, but see the -=08-t=08ta=08ar=08rg=08ge=08et=08t_=08_=
a=08ad=08dd=08dr=08re=08es=08ss=08s option below.
-=08-t=08t | -=08-t=08ta=08ar=08rg=08ge=08et=08t_=08_a=08ad=08dd=08dr=
=08re=08es=08ss=08s _=08a_=08d_=08d_=08r_=08e_=08s_=08s
Set the target address. When an incoming packet not associ-
ated with any pre-existing link arrives at the host machine,
it will be sent to the specified _=08a_=08d_=08d_=08r_=08e_=08s_=08s.
The target address may be set to _=082_=085_=085_=08._=082_=085_=085_=08=
._=082_=085_=085_=08._=082_=085_=085, in which
case all new incoming packets go to the alias address set by
-=08-a=08al=08li=08ia=08as=08s_=08_a=08ad=08dd=08dr=08re=08es=08ss=08s o=
r -=08-i=08in=08nt=08te=08er=08rf=08fa=08ac=08ce=08e.
If this option is not used, or called with the argument
_=080_=08._=080_=08._=080_=08._=080, then all new incoming packets go to=
the address
specified in the packet. This allows external machines to
talk directly to internal machines if they can route packets
to the machine in question.
-=08-i=08in=08nt=08te=08er=08rf=08fa=08ac=08ce=08e | -=08-n=08n _=08i_=
=08n_=08t_=08e_=08r_=08f_=08a_=08c_=08e
Use _=08i_=08n_=08t_=08e_=08r_=08f_=08a_=08c_=08e to determine the alias=
ing address. If there is
a possibility that the IP number associated with _=08i_=08n_=08t_=08e_=
=08r_=08f_=08a_=08c_=08e
may change, the -=08-d=08dy=08yn=08na=08am=08mi=08ic=08c option should a=
lso be used. If this
option is not specified, the -=08-a=08al=08li=08ia=08as=08s_=08_a=08ad=
=08dd=08dr=08re=08es=08ss=08s option must be
used.
The specified _=08i_=08n_=08t_=08e_=08r_=08f_=08a_=08c_=08e is usually t=
he public network inter-
face.
-=08-c=08co=08on=08nf=08fi=08ig=08g | -=08-f=08f _=08f_=08i_=08l_=08e
Read configuration from _=08f_=08i_=08l_=08e. A _=08f_=08i_=08l_=08e sho=
uld contain a list of
options, one per line, in the same form as the long form of
the above command line options. For example, the line
alias_address 158.152.17.1
would specify an alias address of 158.152.17.1. Options that
do not take an argument are specified with an option of _=08y_=08e_=08s
or _=08n_=08o in the configuration file. For example, the line
log yes
is synonymous with -=08-l=08lo=08og=08g.
Trailing spaces and empty lines are ignored. A `#' sign will
mark the rest of the line as a comment.
-=08-r=08re=08ev=08ve=08er=08rs=08se=08e This option makes n=08na=08a=
t=08td=08d reverse the way it handles incoming
and outgoing packets, allowing it to operate on the internal
interface rather than the external one.
This can be useful in some transparent proxying situations
when outgoing traffic is redirected to the local machine and
n=08na=08at=08td=08d is running on the internal interface (it usually ru=
ns on
the external interface).
-=08-p=08pr=08ro=08ox=08xy=08y_=08_o=08on=08nl=08ly=08y
Force n=08na=08at=08td=08d to perform transparent proxying only. Normal=
ad-
dress translation is not performed.
-=08-p=08pr=08ro=08ox=08xy=08y_=08_r=08ru=08ul=08le=08e [_=08t_=08y_=
=08p_=08e _=08e_=08n_=08c_=08o_=08d_=08e_=08__=08i_=08p_=08__=08h_=08d_=08r=
| _=08e_=08n_=08c_=08o_=08d_=08e_=08__=08t_=08c_=08p_=08__=08s_=08t_=08r_=
=08e_=08a_=08m] _=08p_=08o_=08r_=08t _=08x_=08x_=08x_=08x _=08s_=08e_=08r_=
=08v_=08e_=08r
_=08a_=08._=08b_=08._=08c_=08._=08d_=08:_=08y_=08y_=08y_=08y
Enable transparent proxying. Outgoing TCP packets with the
given port going through this host to any other host are
redirected to the given server and port. Optionally, the
original target address can be encoded into the packet. Use
_=08e_=08n_=08c_=08o_=08d_=08e_=08__=08i_=08p_=08__=08h_=08d_=08r to put=
this information into the IP option
field or _=08e_=08n_=08c_=08o_=08d_=08e_=08__=08t_=08c_=08p_=08__=08s_=
=08t_=08r_=08e_=08a_=08m to inject the data into the begin-
ning of the TCP stream.
-=08-p=08pu=08un=08nc=08ch=08h_=08_f=08fw=08w _=08b_=08a_=08s_=08e_=08=
n_=08u_=08m_=08b_=08e_=08r:_=08c_=08o_=08u_=08n_=08t
This option directs n=08na=08at=08td=08d to ``punch holes'' in an ipfire-
wall(4) based firewall for FTP/IRC DCC connections. This is
done dynamically by installing temporary firewall rules which
allow a particular connection (and only that connection) to
go through the firewall. The rules are removed once the cor-
responding connection terminates.
A maximum of _=08c_=08o_=08u_=08n_=08t rules starting from the rule numb=
er
_=08b_=08a_=08s_=08e_=08n_=08u_=08m_=08b_=08e_=08r will be used for punc=
hing firewall holes. The
range will be cleared for all rules on startup.
R=08RU=08UN=08NN=08NI=08IN=08NG=08G N=08NA=08AT=08TD=08D
The following steps are necessary before attempting to run n=08na=08at=
=08td=08d:
1. Build a custom kernel with the following options:
options IPFIREWALL
options IPDIVERT
Refer to the handbook for detailed instructions on building a custom
kernel.
2. Ensure that your machine is acting as a gateway. This can be done
by specifying the line
gateway_enable=3DYES
in the _=08/_=08e_=08t_=08c_=08/_=08r_=08c_=08._=08c_=08o_=08n_=08f file=
or using the command
sysctl -w net.inet.ip.forwarding=3D1
3. If you use the -=08-i=08in=08nt=08te=08er=08rf=08fa=08ac=08ce=08e=
option, make sure that your interface is
already configured. If, for example, you wish to specify tun0 as
your _=08i_=08n_=08t_=08e_=08r_=08f_=08a_=08c_=08e, and you are using pp=
p(8) on that interface, you must
make sure that you start p=08pp=08pp=08p prior to starting n=08na=08at=
=08td=08d.
Running n=08na=08at=08td=08d is fairly straight forward. The line
natd -interface ed0
should suffice in most cases (substituting the correct interface name).
Please check rc.conf(5) on how to configure it to be started automatic=
al-
ly during boot. Once n=08na=08at=08td=08d is running, you must ensure=
that traffic is
diverted to n=08na=08at=08td=08d:
1. You will need to adjust the _=08/_=08e_=08t_=08c_=08/_=08r_=08c_=
=08._=08f_=08i_=08r_=08e_=08w_=08a_=08l_=08l script to taste. If
you are not interested in having a firewall, the following lines
will do:
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via ed0
/sbin/ipfw add pass all from any to any
The second line depends on your interface (change ed0 as appropri-
ate).
You should be aware of the fact that, with these firewall settings,
everyone on your local network can fake his source-address using
your host as gateway. If there are other hosts on your local net-
work, you are strongly encouraged to create firewall rules that only
allow traffic to and from trusted hosts.
If you specify real firewall rules, it is best to specify line 2 at
the start of the script so that n=08na=08at=08td=08d sees all packets be=
fore they
are dropped by the firewall.
After translation by n=08na=08at=08td=08d, packets re-enter the firewall=
at the rule
number following the rule number that caused the diversion (not the
next rule if there are several at the same number).
2. Enable your firewall by setting
firewall_enable=3DYES
in _=08/_=08e_=08t_=08c_=08/_=08r_=08c_=08._=08c_=08o_=08n_=08f. This te=
lls the system startup scripts to run the
_=08/_=08e_=08t_=08c_=08/_=08r_=08c_=08._=08f_=08i_=08r_=08e_=08w_=08a_=
=08l_=08l script. If you do not wish to reboot now, just run
this by hand from the console. NEVER run this from a remote session
unless you put it into the background. If you do, you will lock
yourself out after the flush takes place, and execution of
_=08/_=08e_=08t_=08c_=08/_=08r_=08c_=08._=08f_=08i_=08r_=08e_=08w_=08a_=
=08l_=08l will stop at this point - blocking all accesses
permanently. Running the script in the background should be enough
to prevent this disaster.
S=08SE=08EE=08E A=08AL=08LS=08SO=08O
divert(4), protocols(5), rc.conf(5), services(5), syslog.conf(5),
ipfw(8), ppp(8).
A=08AU=08UT=08TH=08HO=08OR=08RS=08S
This program is the result of the efforts of many people at different
times:
Archie Cobbs <archie@whistle.com> (divert sockets)
Charles Mott <cmott@scientech.com> (packet aliasing)
Eivind Eklund <perhaps@yes.no> (IRC support & misc additions)
Ari Suutari <suutari@iki.fi> (natd)
Dru Nelson <dnelson@redwoodsoft.com> (early PPTP support)
Brian Somers <brian@awfulhak.org> (glue)
FreeBSD June 27, 2000 6
--KlAEzMkarCnErv5Q--
--udcq9yAoWb9A4FsZ
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjo0A2oACgkQixS5xnIdd5c6eACeI85YCCAu5ail/GSi99duQ2YV
evAAoIZFZLQ2Qx7/EMLcoJLIIKS52wdj
=2itj
-----END PGP SIGNATURE-----
--udcq9yAoWb9A4FsZ--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001210172754.D73046>