Date: Fri, 23 Feb 2001 08:11:24 +0200 From: "Patrick O'Reilly" <patrick@mip.co.za> To: "Peter Brezny" <peter@black.purplecat.net>, <freebsd-net@freebsd.org> Subject: RE: ipfw simple question Message-ID: <NDBBIMKICMDGDMNOOCAIEEEFCDAA.patrick@mip.co.za> In-Reply-To: <Pine.BSF.4.05.10102221800540.8312-100000@black.purplecat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Peter,
I speak under correction - I am a user, not an author, of natd and ipfw.
I'm sure that someone will correct me if I'm wrong....
ipfw does not allow you to specify multiple if names for the incoming or
outgoing packets, although you can specify both the in- and out- if names in
one rule.
ipfw does not allow you to specify multiple ip addresses for the from or to
ip. The only provision made is to use an ip with a subnet mask, but you are
obviously aware of this is your first example uses that syntax (0.0.0.0/8).
as for natd: here is the theory I have seen, but I have never tested it
myself:
The natd_interface entry in rc.conf basically provides a default value for
the -interface argument for natd.
There is an entry for 'divert' in /etc/services which specifies the default
port number to be used for the -port argument for natd. The default value
for this is 8668.
In your case you should be able to start the natd daemon by simply using the
command # natd (this is obviously in your rc scripts already).
My understanding is that you should be able to achieve what you want by
doing something like this in your rc scripts:
----
oif1=ed1 # your first external interface
oif2=ed2 # your second external interface
natdport1=8668 # port to use for nat on first interface
natdport2=8669 # port to use for nat on second interface
natd -port ${natdport1} -interface ${oif1}
natd -port ${natdport2} -interface ${oif2}
----
Now you should have two natd daemons running.
You need to divert packets correctly using ipfw, so you will need to add two
rules something like:
----
oif1=ed1 # your first external interface
oif2=ed2 # your second external interface
natdport1=8668 # port to use for nat on first interface
natdport2=8669 # port to use for nat on second interface
$fwcmd add 1 divert ${natdport1} all from any to any via ${oif1}
$fwcmd add 1 divert ${natdport2} all from any to any via ${oif2}
----
Please experiment or check this with another real expert before you put this
into your production environment!
One thing worries me about this - I suspect that if your box routes packets
in and out between these two external interfaces it will nat the packets
just the same is if the packets were from/to internal interfaces. However,
there is an argument for natd called -unregistered_only which will only
perform nat on packets where the source address falls within the correct
ranges of unregistered addresses specified in RFC1918. If you have been a
good boy and used unregistered addresses on your private network then it
should be safe (and correct I think) to add the -unregistered_only argument
to both of the natd commands above.
Please let me know how it goes....
Regards,
Patrick O'Reilly
---
"I do not feel obliged to believe that the same God who has endowed us with
sense, reason, and intellect has intended us to forego their use." --
Galileo Galilei
-----Original Message-----
From: owner-freebsd-net@FreeBSD.ORG
[mailto:owner-freebsd-net@FreeBSD.ORG]On Behalf Of Peter Brezny
Sent: 23 February 2001 01:07
To: freebsd-net@FreeBSD.ORG
Subject: ipfw simple quesiton
Hello,
I've just added a second external interface to a machine. I'd like to not
have to duplicate all the rules that involve outside interfaces.
I've got rules like
$fwcmd add deny all from 0.0.0.0/8 to any in via $oif
is it possible to specify multiple interfaces for one rule by letting
oif= ed0,ed1
?
Similarly, would that work for the ip's of the outside if's?
$fwcmd add allow ip from $oip to any keep-state out via $oif
oip= 10.10.1.1,10.10.1.2
?
And finally, my rc.conf defines the interface for natd like this:
natd_interface="xl0"
is it possible to have natd run on both external interfaces without
causing problems? how would i configure that?
TIA
pb
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBIMKICMDGDMNOOCAIEEEFCDAA.patrick>