Date: Fri, 30 Jul 1999 17:51:32 +0100 From: Brian Somers <brian@FreeBSD.org.uk> To: Ruslan Ermilov <ru@FreeBSD.org> Cc: Brian Somers <brian@FreeBSD.org.uk>, wayne@crb-web.com, FreeBSD Questions <freebsd-questions@FreeBSD.org> Subject: Re: help w/ NATD rules on aliased ip address Message-ID: <199907301651.RAA03994@keep.lan.Awfulhak.org> In-Reply-To: Your message of "Fri, 30 Jul 1999 14:41:20 %2B0300." <19990730144120.A85626@relay.ucb.crimea.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Thu, Jul 29, 1999 at 09:15:50AM +0100, Brian Somers wrote: > > > I wish to use NATD on a computer with single interface card in it. I have > > > looked in the handbook and "The Complete FreeBSD" but neither have information > > > pertaining to this particular information. I am currently running linux as a > > > natbox in this configuration but wish to switch it to freebsd. > > > > > > If anyone could help me with the natd switches and the ipfw rules I would > > > greatly appreciated it. > > > > > > Here is my configuration: > > > > > > public interface 207.196.47.5 netmask 255.255.255.240 > > > interface on private network 10.0.0.50 > > > netmask of private network 255.255.255.0 > > > > > > I have tried natd -u -a 207.196.47.5 but this did not seem to work. I saw > > > natd viewing the packets on debug but it did not translate them and they went > > > nowhere. > > > > I *think* this is possible, but with some odd ipfw lines - something > > like: > > > > ipfw add pass all from 10.0.0.0/8 to 207.196.47.5 in > > ipfw add divert natd all from 10.0.0.0/8 to any out > > > This rule has a side effect that will cause the packet from > 10.0.0.50 to 10.0.0.1 to be aliased to appear from 207.196.47.5, > that is undesired, IMO. > > ipfw add divert natd all from any to 207.196.47.5 in > > > > The idea is to ensure that natd isn't given each packet twice. > > If this works, I'd suggest it's added to the man page. > > > > My idea is to emulate two logical interfaces (private and external) > on one physical, and to run natd(8) on external interface only > [read: alias only those packets that are xmitted via an external > interface]. Here are the rules that implement this: > > # Emulate private interface; skip aliasing if packet came from > # or is sent to the local address: > 00100 allow ip from 10.0.0.0/8 to any via ed0 in > 00200 allow ip from any to 10.0.0.0/8 via ed0 out > > # Everything else is assumed to be sent/received via an external > # interface, so alias and de-alias as usual: > 00300 divert natd from any to any via ed0 > > # And finally, let the traffic to pass through: > 00400 allow ip from any to any [via ed0] Yes, you're right. This makes more sense. > Cheers, > -- > Ruslan Ermilov Sysadmin and DBA of the > ru@ucb.crimea.ua United Commercial Bank, > ru@FreeBSD.org FreeBSD committer, > +380.652.247.647 Simferopol, Ukraine > > http://www.FreeBSD.org The Power To Serve > http://www.oracle.com Enabling The Information Age -- Brian <brian@Awfulhak.org> <brian@FreeBSD.org> <http://www.Awfulhak.org>; <brian@OpenBSD.org> Don't _EVER_ lose your sense of humour ! <brian@FreeBSD.org.uk> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907301651.RAA03994>