From owner-freebsd-questions Fri May 5 20: 4:51 2000 Delivered-To: freebsd-questions@freebsd.org Received: from workhorse.iMach.com (workhorse.iMach.com [206.127.77.89]) by hub.freebsd.org (Postfix) with ESMTP id 81E9637BE3C for ; Fri, 5 May 2000 20:04:48 -0700 (PDT) (envelope-from forrestc@IMACH.COM) Received: from localhost (forrestc@localhost) by workhorse.iMach.com (8.9.3/8.9.3) with ESMTP id UAA27569 for ; Fri, 5 May 2000 20:04:23 -0600 (MDT) Date: Fri, 5 May 2000 20:04:23 -0600 (MDT) From: "Forrest W. Christian" To: questions@freebsd.org Subject: NATD Configuration. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I have an interesting NATD configuration problem. I currently have a machine running a version of 3-STABLE with three interfaces: interface wi0 - WaveLAN Interface to the Internet interface ed0 - "Private" ethernet segment - 192.168.1.x interface ed1 - "Public" ethernet segement - 206.127.x.x The goal is to have ed0 sit behind the functionality of natd not only for the address translation benefits but also for security and to have the ed1 interface essentially "wide open". Currently I have natd running on wi0 "normally" with -unregistered_only enabled. This works great and provides great natural security from the net - except there is one gaping security hole. Because natd is running on wi0 there is no translation done between ed0 and ed1 - and thus any machine on ed1 can directly reach any machine on ed0 which is undesired. I would like to move the divert/natd to ed1, however I haven't been able to get this to work. I have played with the -reverse option on natd and various manglings of the divert line. I have left the interface set to wi0 as I would like it to use the wi0 address for translation. (I thought this was going to be much easier). Does anyone have any ideas on how to do this or pointers to advanced natd configuration files? FYI, I am kinda stuck with ipfw/natd for right now as this is running on a custom PicoBSD floppy which I don't really want to rebuild right now. If anyone has any experiences with ipfilter vs ipfw/nat I would love to have a off-list discussion with them. - Forrest W. Christian (forrestc@imach.com) KD7EHZ ---------------------------------------------------------------------- iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com Solutions for your high-tech problems. (406)-442-6648 ---------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message