Date: Mon, 03 Apr 2000 10:44:18 +0100 From: Brian Somers <brian@Awfulhak.org> To: Luigi Rizzo <luigi@info.iet.unipi.it> Cc: Brian Somers <brian@Awfulhak.org>, Brendan Kosowski <brendan@bmk.com.au>, FreeBSD Networking <freebsd-net@FreeBSD.ORG>, brian@hak.lan.Awfulhak.org, brian@hak.lan.Awfulhak.org Subject: Re: natd problem Message-ID: <200004030944.KAA01499@hak.lan.Awfulhak.org> In-Reply-To: Message from Luigi Rizzo <luigi@info.iet.unipi.it> of "Mon, 03 Apr 2000 10:38:40 %2B0200." <200004030838.KAA56450@info.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
If you've got a spare IP number, I prefer this:
$fwcmd add 101 divert natd all from 172.16.0.0/12 to any out via fxp0
$fwcmd add 102 divert natd all from any to $natd_interface in via fxp0
Here, natd_interface is my spare IP number (which has been ifconfig'd
as an alias on fxp0) and 172.16.0.0/12 is my internal network.
All connections going out get the default (first) IP number on fxp0
and natd doesn't even get to see them. You may also want to add
$fwcmd add 101 divert natd all from $natd_interface to any out via fxp0
just in case someone wants to use something like datapipe (ports) to
specifically make their from address the same as $natd_interface.
> > The problem here is that the reply packets are going direct and
> > aren't getting de-aliased by natd - natd doesn't even get to see them.
>
> speaking of this... the usual suggestion for setting NATD is to
> config the firewall as
>
> ipfw -q flush
> ipfw add 100 divert natd ip from any to any via $natd_interface
> ipfw add 200 allow ip from any to any
>
> but this puts a lot of load on the machine acting as natd daemon,
> as all local traffic is also passed to the daemon where it is not
> subject to any translation.
> In some cases this is quite a problem e.g. when you put
> all sorts of services on the same machine doing natd.
>
> Does anyone have a more accurate way to pass interesting packets
> to the daemon ?
>
> I could probably come up with something but i'd rather avoid
> duplicating work already done.
>
> cheers
> luigi
>
--
Brian <brian@Awfulhak.org> <brian@[uk.]FreeBSD.org>
<http://www.Awfulhak.org>; <brian@[uk.]OpenBSD.org>
Don't _EVER_ lose your sense of humour !
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200004030944.KAA01499>