Date: Mon, 31 May 1999 17:55:32 +0200 (MET DST) From: Luigi Rizzo <luigi@labinfo.iet.unipi.it> To: net@freebsd.org Subject: natd question Message-ID: <199905311555.RAA19371@labinfo.iet.unipi.it>
next in thread | raw e-mail | index | archive | help
Hi,
there is one thing i don't fully understand about natd.
I have a machine ("WIND") acting as a firewall between a local
unregistered net (interface fxp0) and the rest of the internet
(interface de0, using WIND as main address and MASQ as alias on
de0).
I can manage to make natd work by setting net.inet.ip.forwarding=1
on WIND.
However, i thought i could achieve the same goal by setting
net.inet.ip.forwarding=0, and just using the following sequence
# incoming pkts for private hosts
ipfw add 1000 skipto 2000 ip from PRIVATENET to MASQ recv de0 in
# outgoing packets for external hosts
ipfw add 1100 skipto 2000 ip from PRIVATENET to not PRIVATENET
ipfw add 2000 divert natd ip from any to any
ipfw add 2010 allow ip from any to any
however running natd -verbose, i see that rule 1000 is matched,
but the packet retains its original source IP, e.g.
In [ICMP] 10.114.15.228 -> 131.114.9.5 aliased to
10.114.15.228 -> 131.114.9.5
and so when the packet is reinjected the local stack on WIND will drop
it. When i set forwarding on, the input rule does the same thing,
fortunately the pkt still goes out because there is a valid route entry
on WIND, and then on the _outgoing_ path natd actually changes the src
address.
If i get it right, it seems that natd (i.e. libalias) will only
change the SRC_IP on outgoing packets, and the DST_IP on incoming
pkts. This is also consistent with the documentation, and it is
obvious why (we would need to tell natd which one of the addresses
to replace).
But i wonder, is there a way to tell NATD to act straight on incoming
packets, instead of forcing forwarding on, and having another pass
through the firewall and the protocol stack ?
cheers
luigi
-----------------------------------+-------------------------------------
Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione
http://www.iet.unipi.it/~luigi/ . Universita` di Pisa
TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy)
http://www.iet.unipi.it/~luigi/ngc99/
==== First International Workshop on Networked Group Communication ====
-----------------------------------+-------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905311555.RAA19371>