Date: Wed, 12 Jan 2000 05:17:43 +0100 From: Martin Welk <mw@theatre.sax.de> To: freebsd-questions@FreeBSD.ORG Subject: Re: NATD and Public IP Addresses Message-ID: <20000112051743.C24866@theatre.sax.de> In-Reply-To: <20000111110118.C18967@relay.ucb.crimea.ua>; from ru@ucb.crimea.ua on Tue, Jan 11, 2000 at 11:01:18AM %2B0200 References: <Pine.BSF.4.10.10001101619480.88174-100000@intertain.interlog.com> <20000111003327.C33776@extremis.demon.co.uk> <20000111030946.A14785@theatre.sax.de> <20000111110118.C18967@relay.ucb.crimea.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 11, 2000 at 11:01:18AM +0200, Ruslan Ermilov wrote:
> > (*) Public network interface addresses configured as ifconfig aliases, that
> > means, the gateway recognizes itself as that address. When this is done, it
> > can pass the packets through natd which changes the address and forwards
> > them to an assigned address in the private network.
> It is *NOT* required to bind these addresses to interface.
This is quite interesting. I always thought so yet :-) If I understand
you right, it's enough to let natd listen to the gateway interface and
let it know about the addresses it should work with? Interesting. What
if there are further hosts next to the gateway interface on the Ethernet
(if there is some Ethernet), does one have to do proxy ARP so the NAT
box recognizes itself is meant for these packets or is that done by
some routing (even static routes) ?
> A sticter ruleset would look like:
Of course, this was an example. I wrote more complex firewall
configurations with more than 250 rules. This as an example how
to bring it to work to try it out, see if everything is right.
Such a minimum configuration is IMO a good point of starting
because one cannot do wrong very much. You can of course still
found hundreds of ways to make your firewall/NAT setup to not
work anymore later, I think :-)
> > and a natd configuration like
> >
> > alias_address a.b.c.1
> >
> Why wasting the a.b.c.1? The `interface xxx' clause will do the trick.
> I would also recommend `deny_incoming', `use_sockets' and `same_ports'.
I know I sometimes need to explain some things better which I meant
implicitly. I meant a.b.c.1 as the address for the gateway interface,
and in this case natd shouldn't take care if it refers to that by
an interface directive or an alias_address directive.
> Like I said, the latter is not required at all, just make sure
> the traffic for a.b.c.[2-4] is passed via `xxx' interface.
You can do that by routing if you have some part of a ``real'' network
(like a /29 part) if you have an interface address your ISP routes the
complete network to. I have done configuration where three or four
IP addresses of a /24 or /27 configuration where used for NAT and where
some other machines are on the same piece of Ethernet, so one way is
routing (static routes, perhaps published by some routing protocol),
another may be proxy ARP, and I chose ifconfig aliases :-) (The last
two work based on ARP and make reaching the NAT host independent from
IP routing - I have done six or seven NAT configurations yet, and I don't
want to decide which way is the better one or the right one. But I as they
work, I guess they cannot be that bad :-) Yes, I know that sometimes
working configurations are not ``nice'' configurations.(
Regards,
Martin
--
/| /| | /| / ,,You know, there's a lot of opportunities,
/ |/ | artin |/ |/ elk if you're knowing to take them,
you know, there's a lot of opportunities,
Freiberg/Saxony, Germany if there aren't you can make them,
mw@sax.de / mw@theatre.sax.de make or break them!'' (Tennant/Lowe)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000112051743.C24866>