OT: FreeBSD and natd
Adam McDougall
mcdouga9@egr.msu.edu
Thu, 22 Feb 2001 10:46:24 -0500 (EST)
Yes, I have.
Do you have nat working yet? If not, the natd manpage has a list of steps
at the bottom to go through, some of them are already done or implimented
a little differently so the main parts are putting IPFIREWALL and IPDIVERT
in your kernel config and recompiling it, enabling
these things in /etc/rc.conf:
gateway_enable="YES"
firewall_enable="YES" # Set to YES to enable firewall
firewall_script="/etc/rc.firewall" # Which firewall rule script to run
firewall_type="OPEN" # Firewall type (see /etc/rc.firewall)
natd_enable="YES" # Enable natd
natd_interface="fxp0" # Public interface or IPaddress to use.
natd_flags="" # Additional flags for natd.
I prefer not listing flags here because they can be put in
/etc/natd.conf which is easier to feed natd if you need to restart it to
update the configuration, like for redirected ports. Go ahead and list
the interface in rc.conf anyway, other scripts like rc.firewall read it.
So instead of listing the flags you want, just put natd_flags="-f
/etc/natd.conf" and if you need to restart natd after you
are booted, just kill the sucker completely and natd -f /etc/natd.conf.
This is what my /etc/natd.conf looks like:
alias_address 24.2.221.22
port 8668
use_sockets yes
same_ports yes
unregistered_only yes
You will want to add a line like this for your database server:
redirect_port tcp 10.0.0.2:12345 8080
replace tcp with tcp or udp and 10.0.0.2:12345 with the ip and host the
database is actually running on.
If you have the firewall_type set to open or client in rc.conf then it
will stick a firewall rule to get NAT working.
On the fly restarting for new config gotchas:
o If you need to restart natd, do it locally
o If you want to do it remotely anyway, make sure you have specific rules
in your firewall before the divert line allowing all hosts to access your
computer port 22 for sshd for example. You need to remove the divert
firewall rule with the ipfw del command if you dont have a specific allow
first or the divert rule will be piping your packets into outer space if
you dont have a natd running.
o adding specific allow and deny rules before the divert rule is favorable
in my experience anyway because it depends on natd less. ipfw works on a
first match system from top to bottom.
o natd doesn't support updating configuration by -HUP yet
o killing it drops aliased connections,
Hope I haven't forgotten anything =)
On Wed, 21 Feb 2001, Mike Szumlinski wrote:
> After having my linux box compromised recently due to the wu-ftp daemon
> security holes, I decided that on the reinstall I'd try something new. I
> have switched to FreeBSD 4.2, which so far works great. I was wondering if
> anyone in the group has used FreeBSD and natd to do both ipmasqing and port
> redirection. I have a database server that I would like the outside world to
> be able to see on port 8080, but I just can't seem to figure out why it
> won't work.
>
> -Mike
>
> -=--===---===---===---===-=-
> |Mike Szumlinski |
> |Michigan State University |
> |A26079565 |
> -=--===---===---===---===-=-
> "The future is no place to place your better days" -DMB
>
>
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user
>