Date: Thu, 25 May 2000 12:14:03 -0600 (MDT) From: Nick Rogness <nick@rapidnet.com> To: wonko@entropy.tmok.com Cc: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org Subject: Re: question about natd/ipfw Message-ID: <Pine.BSF.4.05.10005251157050.70178-100000@rapidnet.com> In-Reply-To: <200005251526.LAA59553@entropy.tmok.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 25 May 2000, Brian Hechinger wrote: > i will have two sets of outside IP addresses, a single IP address that will be > bound to my outside interface which comes from covad, and a /29 block from > DCA Net. the /29 will be routed through the outside interface into the NAT > box, and from there i want to be able to use them as an "outside NAT pool" > externally they will just look like an average domain, but that i will be able > to redirect as i please internally. They just statically routed a /29 subnet to your outside IP. Nothing unusual about that. Just set natd to handle them. It is not very hard to implement...see below. > > so, my question is: what do i do with the /29? do i create aliases on my > outside interface for them all? do i create aliases on my inside interface > for them all? do i bind them to lo0? attatching them to the outside interface NO. do not bind them to your interfaces. NATd will take care of all of that for you. FOr example, if your net looked like this: A B DSL --> (Outside ethernet interface)==FreeBSD==(Inside interface) At point A, setup your interface as the single outside IP that was given to you. At point B, you do nothing, keep your inside IP's the way they are. In ipfw rules: ipfw add 150 divert natd ip from any to any (outside_interface) In your nat setup (/etc/natd.conf): interface outside_interface port 8668 redirect_address inside_ip_A outside_IP_from_/29 redirect_address inside_ip_B outside_IP_from_/29 redirect_address inside_ip_C outside_IP_from_/29 redirect_address inside_ip_D outside_IP_from_/29 redirect_address inside_ip_E outside_IP_from_/29 redirect_address inside_ip_F outside_IP_from_/29 Start natd: /sbin/natd -f /etc/natd.conf This setup will allow you to shift which outside IP goes to which internal IP. You can use redirect_port if you wish for more security. > seems wrong to me as well as attatching them to the inside interface since > they should be listened to on either interface, hence my thought to bind them > to the loopback device since i view these things as being "virtual" > NO. DO no binding. It will not work. > ipfw: using NAT and firewall_type="open" NAT blocks all non-redirected > traffic? That is because you must add the natd ipfw rule from above and setup nat to handle them. Nick Rogness - Speak softly and carry a Gigabit switch. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.10005251157050.70178-100000>