From owner-freebsd-questions Mon Oct 30 11:20: 7 2000 Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 84EBC37B479 for ; Mon, 30 Oct 2000 11:20:04 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Mon, 30 Oct 2000 11:18:27 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e9UJJla03687; Mon, 30 Oct 2000 11:19:47 -0800 (PST) (envelope-from cjc) Date: Mon, 30 Oct 2000 11:19:46 -0800 From: "Crist J . Clark" To: Daniel Ruthardt Cc: freebsd-questions@freebsd.org Subject: Re: IP Masquerading - Using NAT Message-ID: <20001030111946.A3675@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <20001029143205.X75251@149.211.6.64.reflexcom.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from ruthardt@chello.at on Mon, Oct 30, 2000 at 10:25:11AM +0100 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Oct 30, 2000 at 10:25:11AM +0100, Daniel Ruthardt wrote: [snip] > Here are the informations you need to help me: > > $ cat /etc/rc.conf > > # This file now contains just the overrides from /etc/defaults/rc.conf > # please make all changes to this file. > > keymap="german.iso" > gateway_enable="YES" > hostname="dowee.com" > firewall_enable="YES" > firewall_type="OPEN" > natd_interface="xl0" > natd_enable="YES" > ifconfig_xl0="DHCP" > ifconfig_xl0_alias0="inet 192.0.0.1 netmask 255.255.255.0" > > $ fgrep 'IP packet filtering' /var/run/dmesg.boot > > IP packet filtering initialized, divert enabled, rule-based forwarding > disabled, > default to deny, logging disabled > > $ ifconfig -a > > xl0: flags=8843 mtu 1500 > inet6 fe80::250:4ff:fe4d:3695%xl0 prefixlen 64 scopeid 0x1 > inet 212.186.196.204 netmask 0xffffff00 broadcast 212.186.196.255 > inet 192.0.0.1 netmask 0xffffff00 broadcast 192.0.0.255 > ether 00:50:04:4d:36:95 > media: 10baseT/UTP (10baseT/UTP ) > supported media: 10baseT/UTP 10baseT/UTP > 10b > aseT/UTP [snip] > $ ipfw show > > 00100 3064 945994 divert 8668 ip from any to any via xl0 > 00100 0 0 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 65000 3064 945994 allow ip from any to any > 65535 2 656 deny ip from any to any > > Hope the information tells you what i've done wrong (-: Looks pretty good except for one big problem, you are trying to use a single interface. natd(8) is designed to be used with multiple interfaces. It does not work well with one. Each packet will go through natd(8) twice and this tends to really confuse it. There are other problems with this scheme. First, if you were planning to later add firewall rules for security, they will offer little protection since your machines are still naked on the net. Second, you are likely going to be leaking your "private" address traffic onto your LAN (and from there who knows where it may get routed). You will be one of those guys who causes all those people to mail the list asking why they are getting arp error messages about machines responding on the wrong interface. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message