From owner-freebsd-questions Sat Mar 11 20:44: 0 2000 Delivered-To: freebsd-questions@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 7016937BD66 for ; Sat, 11 Mar 2000 20:43:57 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id XAA27469; Sat, 11 Mar 2000 23:49:27 -0500 (EST) (envelope-from cjc) Date: Sat, 11 Mar 2000 23:49:27 -0500 From: "Crist J. Clark" To: Sam Carleton Cc: FreeBSD Questions Subject: Re: ipfw is not working Message-ID: <20000311234927.I24340@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <38C9D32F.E8F2254A@miltonstreet.com> <20000311123542.B23514@cc942873-a.ewndsr1.nj.home.com> <38CA9F0F.8A8F89F5@miltonstreet.com> <20000311172441.B24340@cc942873-a.ewndsr1.nj.home.com> <38CB13D0.AB1EE916@miltonstreet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <38CB13D0.AB1EE916@miltonstreet.com>; from scarleton@miltonstreet.com on Sat, Mar 11, 2000 at 10:51:07PM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, Mar 11, 2000 at 10:51:07PM -0500, Sam Carleton wrote: > "Crist J. Clark" wrote: > > > > Wait a second here. My understanding is that NAT and IP Masquerading are > > > different. From my understanding, with IP Masq there only needs to be one valid > > > IP address, that on the external card of the firewall. With IP Masq gives all > > > out going requests the one external IP address. With NAT, there needs to be one > > > external IP address for every machine that wants to get to the Internet. > > > Considering most folks at home only have one external IP address, they would > > > want to use IP Masq. I have also heard IP Masq called PAT. > > > > > > Looking at page 506 of the 3rd edition of "The Complete FreeBSD", it looks like > > > FreeBSD uses the terminology IP aliasing for what Linux folks call IP Masq. Am > > > I correct? > > > > No. NAT only needs one registered IP address on the external > > interface. If it required a one-to-one mapping, it'd be rather > > useless. See the natd(8) manpage. Also see RFC 1631 and other RFCs > > related to NAT if interested. (BTW, there are no RFCs about "IP > > masquerading." No idea if there are differences.) > > Crist, > > A one-to-one mapping is not useless, that is what I want to do at home for part of my > network. I have aDSL, my telephone company allows me to have four machines on the > Internet at once, so I have an IP mask of 255.255.255.248. I want to have three > different physical servers of sorts on the web, along with the a few workstations. I > want all the machines to be protected by a firewall. I figured I would set the > servers on a 172.16.0.1 and have FreeBSD do a one-to-one NAT from the 172.16.0.x to > the external addresses. I would also have a third NIC in the FreeBSD box on a > 192.168.0.x, doing a one-to-many NAT for the workstations. > > I have a good grip on the consept of the firewall, but never worked with the > one-to-one NAT, can you recommend any good books? You are not doing all one-to-one NAT. Like you say, you also want a one-to-many function for your workstations. If you were _only_ doing one-to-one, I would not say it is worth the effort. Anyway, I think all you need is in the natd(8) manpage and look at the '-redirect_address' option. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message