From owner-freebsd-questions@FreeBSD.ORG Sun Apr 2 10:29:53 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AEAB16A401 for ; Sun, 2 Apr 2006 10:29:53 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from strange.daemonsecurity.com (59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id B737C43D48 for ; Sun, 2 Apr 2006 10:29:52 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [172.16.2.1] (charm.daemonsecurity.com [172.16.2.1]) by strange.daemonsecurity.com (Postfix) with ESMTP id 226E02E04B; Sun, 2 Apr 2006 12:29:58 +0200 (CEST) Message-ID: <442FA797.6060307@locolomo.org> Date: Sun, 02 Apr 2006 12:29:43 +0200 From: =?ISO-8859-1?Q?Erik_N=F8rgaard?= Organization: Locolomo.ORG User-Agent: Thunderbird 1.5 (X11/20060312) MIME-Version: 1.0 To: Juergen Heberling References: <442EEABE.5000803@hicom.net> <442F2B69.40503@locolomo.org> <442F3268.30409@hicom.net> In-Reply-To: <442F3268.30409@hicom.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: ipnat syntax error? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Apr 2006 10:29:53 -0000 Juergen Heberling wrote: >>> /etc/ipnat.rules contains: >>> map em0 192.168.1.0/24 -> 204.134.75.1-10 >>> .. snip .. > I tried your suggestion of using the cidr notation format and that work; > thank you! > > However I am concerned about overlapping mappings in the cidr range with > host-to-host maps - my cidr range is a /28, for example, > and I want to map (spoof) some IP address in the middle to, say the web > or mail servers. In order to avoid the overlap I was counting on the > "range" specification on the map command. Well, my suggestion is not to exhaust your precious /28 address space right away. And don't make your life unnecessary difficult, why choose the addreses in the middle for bimap? Rather than using all your external ip's right away I would save some for later expansion, and reserve one for debugging. You may need to connect a laptop on the external net to figure out what's going on. You could do this: x.x.x.0/29 to servers (bimap), x.x.x.8/30 debug and future expansion (not mapped), x.x.x.12/30 map for lan clients. If you stick to cidr you can also write your filter rules in cidr making it far easier to read an maintain. For the mapping, and bimapping consider this: The /24 network you want to map, it contains at most 254 hosts. If you map that network to a single ip, then each host can establish at least 256 simultaneous connections. My experience is that this is far mor than needed in most normal operating environments. I'd suggest using the same ip as on the firewall external interface. If the purpose of binatting is to make one service available, http say, then you may consider using rdr. IIRC you can also use rdr to round robin load balancing incoming connections. That way you can have one host serving http and another serving smtp on the same external ip. The only reason to use different ip's is if you're hosting a number of https servers, each need a different ip. There's no point in bimapping all ports on a external ip to one single internal ip if most of them are blocked by the filter. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9