Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 27 Nov 2001 18:47:38 -0700
From:      "Kendall Gifford" <>
To:        <>
Subject:   Some natd configuration question(s)
Message-ID:  <000001c177ae$a9905d70$>

Next in thread | Raw E-Mail | Index | Archive | Help
A while back I (Kendall Gifford) wrote:

>> We have a DSL connection to which a FreeBSD 4.4-Stable box
>> is connected called foobar. Foobar is the LAN's NAT-firewall.
>> Our web server is inside our LAN and all requests are
>> naturally forwarded by natd. The problem is when LAN clients
>> try to access our web server via foobar.... [chop]

I also mentioned that we run LAN-only DNS so that in normal
operation, a LAN web client shouldn't try to access the web
site via foobar.

On Tuesday [11/20/2001] Patrick O'Reilly responded:
> ...natd does run on a psecific interface (specified by the
> -n or -a argument to natd), and since the offending packets
> are entering 'foobar' via a different interface, natd does not
> have an opportunity to do its work. ...[whack]...
> I think you need to address this problem on your primary DNS.
> Make sure it responds and services your internal clients
> reliably.  Is the internal DNS server also FreeBSD?

No, the DNS server is a Windows machine over which I have no
administrative control :-(. It just can't be depended upon to
always be up (as is evident by the presence of this whole issue).

On Wednesday [11/21/2001] Ruslan Ermilov wrote:
> Alternatively, you can run a second copy of natd(8) on your
> LAN interface (on the firewall box), and feed it with traffic
> from your LAN machines to your public IP spool.  That way,
> your WWW server running on public IP address will see requests
> coming from the NAT machine, and reply packets will undergo
> a reverse process, and all should be working as expected.
> The rule of thumb: make sure the reply packets go through
> the NAT as well.

First off, thanks Patrick, Ruslan, and Kjell (not quoted) for
the help, and sorry for not acknowledging for so long. I have
a second copy of natd running now and I feed it the traffic
from my LAN machines trying to reach my public IP interface. I
have verified that this second copy of natd is getting the
packets, but I'm not sure how to configure natd in this
situation. The options to natd that I have tried (and that
haven't worked) are:

(present in all variations):
] interface xl1
] port 8670 (the one ipfw diverts to this copy of natd)
] log
(have tried various combinations of these options):
] reverse
] redirect_port tcp <LAN_WWW_IP>:80 80
] proxy_only
] proxy_rule port 80 server <LAN_WWW_IP>:80

I'm just not very sure what some of the settings do and would
welcome any suggestions, enlightenment, or direction where to
get such extended information.

Kendall Gifford

To Unsubscribe: send mail to
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <$a9905d70$f801a8c0>