Date: Sat, 26 Jul 2003 02:22:05 +0200 From: Clement Laforet <sheepkiller@cultdeadsheep.org> To: durham@jcdurham.com Cc: freebsd-hackers@freebsd.org Subject: Re: NATD and Address Redirection Message-ID: <20030726022205.452c374f.sheepkiller@cultdeadsheep.org> In-Reply-To: <200307251349.38413.durham@jcdurham.com> References: <200307251349.38413.durham@jcdurham.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 25 Jul 2003 13:49:38 -0400 Jim Durham <durham@jcdurham.com> wrote: Hi, > I'm wondering about the characteristics of the redirect_address option > > of natd. I tried this on -questions, but no one replied, so I thought > I'd ask on here, hoping to find folks more familiar with kernel > mechanisms here. Except for DIVERT, there isn't any kernel mechanisms for address translatation. > Consider a FreeBSD NAT "gateway" between a public IP on one network > interface and a private "LAN" address on the 2nd interface serving a > group of windows machines on the LAN with private IPS. > > We wanted to allow outside access to one of the LAN machines. > > According to the documentation, as I read it, redirect_address sets up > > a "static NAT" which is symmetrical between a public address on the > outside interface of a FreeBSD machine and a machine on a private IP > attached to the "inside" or "LAN" network interface. > > The procedure we used was to alias a 2nd public address to the outside > > interface and use a redirect_address statement in natd.conf to > redirect connections to the new public IP to the inside machine. > > This doesn't seem to be symmetrical. <snip> > > I'm questioning whether the connection is really symmetrical? for incoming traffic, you must use -redirect_address, but for outgoing you have to set -alias_address. If you want to use a specific public IP to map incoming AND outgoing packets, you need to run 2 natd, using ipfw matching. regards, clem
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030726022205.452c374f.sheepkiller>