Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 5 May 2000 20:04:23 -0600 (MDT)
From:      "Forrest W. Christian" <forrestc@iMach.com>
To:        questions@freebsd.org
Subject:   NATD Configuration.
Message-ID:  <Pine.BSF.4.21.0005051943020.27250-100000@workhorse.iMach.com>

next in thread | raw e-mail | index | archive | help

I have an interesting NATD configuration problem.

I currently have a machine running a version of 3-STABLE with three
interfaces:

  interface wi0 - WaveLAN Interface to the Internet
  interface ed0 - "Private" ethernet segment - 192.168.1.x
  interface ed1 - "Public" ethernet segement - 206.127.x.x

The goal is to have ed0 sit behind the functionality of natd not only for
the address translation benefits but also for security and to have the ed1
interface essentially "wide open".

Currently I have natd running on wi0 "normally" with -unregistered_only
enabled.  This works great and provides great natural security from the
net - except there is one gaping security hole.  Because natd is running
on wi0 there is no translation done between ed0 and ed1 - and thus any
machine on ed1 can directly reach any machine on ed0 which is undesired.

I would like to move the divert/natd to ed1, however I haven't been able
to get this to work.  I have played with the -reverse option on natd and
various manglings of the divert line.  I have left the interface set to
wi0 as I would like it to use the wi0 address for translation.  (I thought
this was going to be much easier).

Does anyone have any ideas on how to do this or pointers to advanced natd
configuration files?

FYI, I am kinda stuck with ipfw/natd for right now as this is running on a
custom PicoBSD floppy which I don't really want to rebuild right now.  If
anyone has any experiences with ipfilter vs ipfw/nat I would love to have
a off-list discussion with them.

- Forrest W. Christian (forrestc@imach.com) KD7EHZ
----------------------------------------------------------------------
iMach, Ltd., P.O. Box 5749, Helena, MT 59604      http://www.imach.com
Solutions for your high-tech problems.                  (406)-442-6648
----------------------------------------------------------------------



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0005051943020.27250-100000>