Date: Wed, 12 Jan 2000 05:17:43 +0100 From: Martin Welk <mw@theatre.sax.de> To: freebsd-questions@FreeBSD.ORG Subject: Re: NATD and Public IP Addresses Message-ID: <20000112051743.C24866@theatre.sax.de> In-Reply-To: <20000111110118.C18967@relay.ucb.crimea.ua>; from ru@ucb.crimea.ua on Tue, Jan 11, 2000 at 11:01:18AM %2B0200 References: <Pine.BSF.4.10.10001101619480.88174-100000@intertain.interlog.com> <20000111003327.C33776@extremis.demon.co.uk> <20000111030946.A14785@theatre.sax.de> <20000111110118.C18967@relay.ucb.crimea.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 11, 2000 at 11:01:18AM +0200, Ruslan Ermilov wrote: > > (*) Public network interface addresses configured as ifconfig aliases, that > > means, the gateway recognizes itself as that address. When this is done, it > > can pass the packets through natd which changes the address and forwards > > them to an assigned address in the private network. > It is *NOT* required to bind these addresses to interface. This is quite interesting. I always thought so yet :-) If I understand you right, it's enough to let natd listen to the gateway interface and let it know about the addresses it should work with? Interesting. What if there are further hosts next to the gateway interface on the Ethernet (if there is some Ethernet), does one have to do proxy ARP so the NAT box recognizes itself is meant for these packets or is that done by some routing (even static routes) ? > A sticter ruleset would look like: Of course, this was an example. I wrote more complex firewall configurations with more than 250 rules. This as an example how to bring it to work to try it out, see if everything is right. Such a minimum configuration is IMO a good point of starting because one cannot do wrong very much. You can of course still found hundreds of ways to make your firewall/NAT setup to not work anymore later, I think :-) > > and a natd configuration like > > > > alias_address a.b.c.1 > > > Why wasting the a.b.c.1? The `interface xxx' clause will do the trick. > I would also recommend `deny_incoming', `use_sockets' and `same_ports'. I know I sometimes need to explain some things better which I meant implicitly. I meant a.b.c.1 as the address for the gateway interface, and in this case natd shouldn't take care if it refers to that by an interface directive or an alias_address directive. > Like I said, the latter is not required at all, just make sure > the traffic for a.b.c.[2-4] is passed via `xxx' interface. You can do that by routing if you have some part of a ``real'' network (like a /29 part) if you have an interface address your ISP routes the complete network to. I have done configuration where three or four IP addresses of a /24 or /27 configuration where used for NAT and where some other machines are on the same piece of Ethernet, so one way is routing (static routes, perhaps published by some routing protocol), another may be proxy ARP, and I chose ifconfig aliases :-) (The last two work based on ARP and make reaching the NAT host independent from IP routing - I have done six or seven NAT configurations yet, and I don't want to decide which way is the better one or the right one. But I as they work, I guess they cannot be that bad :-) Yes, I know that sometimes working configurations are not ``nice'' configurations.( Regards, Martin -- /| /| | /| / ,,You know, there's a lot of opportunities, / |/ | artin |/ |/ elk if you're knowing to take them, you know, there's a lot of opportunities, Freiberg/Saxony, Germany if there aren't you can make them, mw@sax.de / mw@theatre.sax.de make or break them!'' (Tennant/Lowe) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000112051743.C24866>