Date: Mon, 22 Mar 1999 10:05:40 -0800 From: "David Burger" <david@unet.tm> To: "'Tim Pushor'" <timp@orion.ab.ca>, "'Hugh Blandford'" <hugh@island.net.au> Cc: <questions@FreeBSD.ORG> Subject: RE: NAT Question Message-ID: <000001be748e$98efc120$9b2a0b0a@curly.hctg.saic.com> In-Reply-To: <002601be7534$227b2ec0$9801a8c0@dedalus>
next in thread | previous in thread | raw e-mail | index | archive | help
Tim,
Just a suggestion, have you tried adding the following two lines at the
beginning of your firewall rules:
ipfw add allow any from {protected} to any via any
ipfw add divert 6886 from {NATed} to any via {PubInterface}
I am not an expert, but this should allow open communication from the
protected interfaces to the internet without NAT getting in the way. The
only thing I can see as a problem is packets coming back to the protected
interface. This can easily be handled by additional rules.
Hope this helps,
David
-----Original Message-----
From: owner-freebsd-questions@FreeBSD.ORG
[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Tim Pushor
Sent: Tuesday, March 23, 1999 5:51 AM
To: Hugh Blandford
Cc: questions@FreeBSD.ORG
Subject: Re: NAT Question
Well, I have tried that.
I did not want to do that initially because I wanted to learn exactly how
ipfw and divert worked with NAT, and how I could manipulate firewall ACL's.
But after not being able to get this working for a while, I did
try -unregistered_only but the effect was that packets from my protected
network did not get sent to the 'router or nat machines' default gateway.
i.e. I could ping the public side of the router/nat box but could not ping
the internet any more (before the nat I could fine).
Think I am doing something wrong?
Thanks for the response,
Tim
-----Original Message-----
From: Hugh Blandford <hugh@island.net.au>
To: Tim Pushor <timp@orion.ab.ca>
Date: Monday, March 22, 1999 12:30 AM
Subject: Re: NAT Question
>Hi Tim,
>
>if your protected network is routable on the internet and you don't want to
>do any NAT then there is a switch you can insert in the config file or at
>runtime:
>
>-unregistered_only or -u
>
>Regards,
>
>Hugh
>
>At 22:51 22/03/99 -0700, you wrote:
>>Hello,
>>
>>I have built a NAT box using ipfw and natd on FreeBSD 2.2.8. I can't seem
to
>>accomplish what I am trying to do:
>>
>>I have three interfaces (the IP's have been changed to protect the
innocent
>>:)
>>
>>public - 207.122.216.0 255.255.255.128
>>protected - 207.122.216.129 255.255.255.128
>>private - 192.168.1.0 255.255.255.0
>>
>>What I am trying to do is to use the machine as a router between the
public
>>and protected interfaces (and default routing out to a router that will
>>forward to the Internet), but NAT the private interface to an IP address
on
>>the public side.
>>
>>The NAT works fine.. The problem I am having is that after enabling nat,
the
>>protected interface will no longer forward to the Internet.
>>
>>What I am wondering is how I should configure ipfw so that traffic to/from
>>the private network is NATted, and that routing between the public and
>>protected interfaces is unnafected.
>>
>>Can someone help shed some light on this?
>>Many thanks,
>>Tim
>>
>>
>>
>>To Unsubscribe: send mail to majordomo@FreeBSD.org
>>with "unsubscribe freebsd-questions" in the body of the message
>>
>>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000001be748e$98efc120$9b2a0b0a>