1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-24 11:29:10 +00:00

src/usr.sbin/natd -> src/sbin/natd (after a repo-copy by jdp)

This commit is contained in:
Brian Somers 1999-03-12 15:38:55 +00:00
parent cad59f82df
commit 2f9a9cb08c
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=44690
11 changed files with 3 additions and 2372 deletions

View File

@ -1,5 +1,5 @@
# @(#)Makefile 8.5 (Berkeley) 3/31/94 # @(#)Makefile 8.5 (Berkeley) 3/31/94
# $Id: Makefile,v 1.65 1999/02/27 02:25:06 jkh Exp $ # $Id: Makefile,v 1.66 1999/02/27 10:54:06 jkh Exp $
# XXX MISSING: icheck ncheck # XXX MISSING: icheck ncheck
@ -41,6 +41,7 @@ SUBDIR= adjkerntz \
mount_umap \ mount_umap \
mount_union \ mount_union \
mountd \ mountd \
natd \
newfs \ newfs \
newfs_msdos \ newfs_msdos \
nfsd \ nfsd \

View File

@ -1,5 +1,5 @@
# From: @(#)Makefile 5.20 (Berkeley) 6/12/93 # From: @(#)Makefile 5.20 (Berkeley) 6/12/93
# $Id: Makefile,v 1.147 1999/01/11 18:03:54 msmith Exp $ # $Id: Makefile,v 1.148 1999/02/21 21:30:13 rnordier Exp $
# XXX MISSING: mkproto # XXX MISSING: mkproto
SUBDIR= IPXrouted \ SUBDIR= IPXrouted \
@ -46,7 +46,6 @@ SUBDIR= IPXrouted \
named \ named \
named.reload \ named.reload \
named.restart \ named.restart \
natd \
ndc \ ndc \
newsyslog \ newsyslog \
nslookup \ nslookup \

View File

@ -1,146 +0,0 @@
* Version 0.1
Initial version of natd.
* Version 0.2
- Alias address can now be set by giving interface name with
new (-n) command-line option.
- New Makefile based on bsd.prog.mk.
- Error messages are written to syslog
after natd has become a daemon.
* Version 1.0
- Support for using only single socket (-p option)
* Version 1.1
- -a option now understands a hostname also.
- -a option no longer dumps core.
- Packet aliasing software upgraded to v. 1.9
- added long option names (like -address)
* Version 1.2
- Fixed core dump with -port option.
- Added -Wall to CFLAGS and some headers added to natd.c
to get clean compile by Brian Somers [brian@awfulhak.org].
* Version 1.3
- Aliasing address initialization is delayed until first
packet arrives. This allows natd to start up before
interface address is set.
- SIGTERM is now catched to allow kernel to close
existing connections when system is shutting down.
- SIGHUP is now catched to allow natd to refresh aliasing
address from interface, which might be useful to tun devices.
* Version 1.4
- Changed command line options to be compatible with
command names used in ppp+packetAlias package (which is the
original application using aliasing routines).
The options which map directly to packet aliasing options are:
-unregistered_only [yes|no]
-log [yes|no]
-deny_incoming [yes|no]
-use_sockets [yes|no]
-same_ports [yes|no]
The short option names are the same as in previous
releases.
- Command line parser rewritten to provide more flexible
way to support new packet aliasing options.
- Support for natd.cf configuration file has been added.
- SIGHUP no longer causes problems when running without
interface name option.
- When using -interface command line option, routing socket
is optionally listened for interface address changes. This
mode is activated by -dynamic option.
- Directory tree reorganized, alias package is now a library.
- Manual page written by Brian Somers <brian@awfulhak.org> added.
- README file updated.
* Version 1.5
- Support for sending ICMP 'need fragmentation' messages
when packet size exceeds mtu size of outgoing network interface.
- ipfw rule example in manual page fixed.
* Version 1.6
- Upgrade to new packet aliasing engine (2.1)
- redirect_port and redirect_address configuration
parameters added.
- It is no longer necessary to quote complex parameter values
in command line.
- Manual page fixed (same_port -> same_ports).
* Version 1.7
- A bug in command-line parsing fixed (it appeared due
to changes made in 1.6).
* Version 1.8
- Fixed problems with -dynamic option.
- Added /var/run/natd.pid
* Version 1.9
- Changes to manual page by
Brian Somers <brian@awfulhak.org> integrated.
- Checksum for incoming packets is always recalculated
for FreeBSD 2.2 and never recalculated for newer
versions. This should fix the problem with wrong
checksum of fragmented packets.
- Buffer space problem found by Sergio Lenzi <lenzi@bsi.com.br>
fixed. Natd now waits with select(2) for buffer space
to become available if write fails.
- Packet aliasing library upgraded to 2.2.
* Version 1.10
- Ignored incoming packets are now dropped when
deny_incoming option is set to yes.
- Packet aliasing library upgraded to 2.4.
* Version 1.11
- Code cleanup work done in FreeBSD-current development merged.
- Port numbers are now unsigned as they should always have been.
* Version 1.12
- Typos in comment fixed. Copyright message added to
source & header files that were missing it.
- A small patch to libalias to make static NAT work correctly.
* Version 2.0
- Upgrade to libalias 3.0 which gives:
- Transparent proxy support.
- permanent_link is now obsolete, use redirect_port instead.
- Drop support for early FreeBSD 2.2 versions
- If separate input & output sockets are being used
use them to find out packet direction instead of
normal mechanism. This can be handy in complex environments
with multiple interfaces.
- libalias is no longer part of this distribution.
- New sample configuration file
from Ted Mittelstaedt <tedm@portsoft.com>.
- PPTP redirect support by Dru Nelson <dnelson@redwoodsoft.com> added.
- Logging enhancements from Martin Machacek <mm@i.cz> added.

View File

@ -1,8 +0,0 @@
PROG = natd
SRCS = natd.c icmp.c
CFLAGS += -Wall
LDADD = -lalias
DPADD = ${LIBALIAS}
MAN8 = natd.8
.include <bsd.prog.mk>

View File

@ -1,53 +0,0 @@
A Network Address Translation Daemon for FreeBSD
1. WHAT IS NATD ?
This is a simple daemon based on FreeBSD divert sockets
which performs network address translation (or masquerading)
for IP packets (see related RFCs 1631 and 1918).
It is based on packet aliasing package (see README.alias)
written by Charles Mott (cmott@srv.net).
This package works with any network interface (doesn't have
to be ppp). I run it on a computer having two ethernet cards,
one connected to internet and the other one to local network.
2. GETTING IT RUNNING
1) Get FreeBSD 2.2 - I think the divert sockets are
not available on earlier versions,
2) Compile this software by executing "make".
3) Install the software by executing "make install".
4) See man natd for further instructions.
3. FTP SITES FOR NATD
This package is available at ftp://ftp.suutari.iki.fi/pub/natd.
4. AUTHORS
This program is the result of the efforts of many people
at different times:
Archie Cobbs <archie@whistle.com> Divert sockets
Charles Mott <cmott@srv.net> Packet aliasing engine
Eivind Eklund <eivind@dimaga.com> Packet aliasing engine
Ari Suutari <suutari@iki.fi> Natd
Brian Somers <brian@awfulhak.org> Manual page, glue and
bunch of good ideas.
The original package written by Charles Mott
is available at http://www.srv.net/~cmott.
It is described in README.alias.
Happy Networking - comments and fixes are welcome!
Ari S. (suutari@iki.fi)

View File

@ -1,127 +0,0 @@
/*
* natd - Network Address Translation Daemon for FreeBSD.
*
* This software is provided free of charge, with no
* warranty of any kind, either expressed or implied.
* Use at your own risk.
*
* You may copy, modify and distribute this software (icmp.c) freely.
*
* Ari Suutari <suutari@iki.fi>
*
* $Id:$
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <errno.h>
#include <signal.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
#include <machine/in_cksum.h>
#include <alias.h>
#include "natd.h"
int SendNeedFragIcmp (int sock, struct ip* failedDgram, int mtu)
{
char icmpBuf[IP_MAXPACKET];
struct ip* ip;
struct icmp* icmp;
int icmpLen;
int failBytes;
int failHdrLen;
struct sockaddr_in addr;
int wrote;
struct in_addr swap;
/*
* Don't send error if packet is
* not the first fragment.
*/
if (ntohs (failedDgram->ip_off) & ~(IP_MF | IP_DF))
return 0;
/*
* Dont respond if failed datagram is ICMP.
*/
if (failedDgram->ip_p == IPPROTO_ICMP)
return 0;
/*
* Start building the message.
*/
ip = (struct ip*) icmpBuf;
icmp = (struct icmp*) (icmpBuf + sizeof (struct ip));
/*
* Complete ICMP part.
*/
icmp->icmp_type = ICMP_UNREACH;
icmp->icmp_code = ICMP_UNREACH_NEEDFRAG;
icmp->icmp_cksum = 0;
icmp->icmp_void = 0;
icmp->icmp_nextmtu = htons (mtu);
/*
* Copy header + 64 bits of original datagram.
*/
failHdrLen = (failedDgram->ip_hl << 2);
failBytes = failedDgram->ip_len - failHdrLen;
if (failBytes > 8)
failBytes = 8;
failBytes += failHdrLen;
icmpLen = ICMP_MINLEN + failBytes;
memcpy (&icmp->icmp_ip, failedDgram, failBytes);
/*
* Calculate checksum.
*/
icmp->icmp_cksum = PacketAliasInternetChecksum ((u_short*) icmp,
icmpLen);
/*
* Add IP header using old IP header as template.
*/
memcpy (ip, failedDgram, sizeof (struct ip));
ip->ip_v = 4;
ip->ip_hl = 5;
ip->ip_len = htons (sizeof (struct ip) + icmpLen);
ip->ip_p = IPPROTO_ICMP;
ip->ip_tos = 0;
swap = ip->ip_dst;
ip->ip_dst = ip->ip_src;
ip->ip_src = swap;
PacketAliasIn ((char*) ip, IP_MAXPACKET);
addr.sin_family = AF_INET;
addr.sin_addr = ip->ip_dst;
addr.sin_port = 0;
/*
* Put packet into processing queue.
*/
wrote = sendto (sock,
icmp,
icmpLen,
0,
(struct sockaddr*) &addr,
sizeof addr);
if (wrote != icmpLen)
Warn ("Cannot send ICMP message.");
return 1;
}

View File

@ -1,426 +0,0 @@
.\" manual page [] for natd 1.4
.\" $Id:$
.Dd 15 April 1997
.Os FreeBSD
.Dt NATD 8
.Sh NAME
.Nm natd
.Nd
Network Address Translation Daemon
.Sh SYNOPSIS
.Nm
.Op Fl ldsmvu
.Op Fl dynamic
.Op Fl i Ar inport
.Op Fl o Ar outport
.Op Fl p Ar port
.Op Fl a Ar address
.Op Fl n Ar interface
.Op Fl f Ar configfile
.Nm
.Op Fl log
.Op Fl deny_incoming
.Op Fl log_denied
.Op Fl use_sockets
.Op Fl same_ports
.Op Fl verbose
.Op Fl log_facility Ar facility_name
.Op Fl unregistered_only
.Op Fl dynamic
.Op Fl inport Ar inport
.Op Fl outport Ar outport
.Op Fl port Ar port
.Op Fl alias_address Ar address
.Op Fl interface Ar interface
.Op Fl config Ar configfile
.Op Fl redirect_port Ar linkspec
.Op Fl redirect_address Ar localIP publicIP
.Op Fl reverse
.Op Fl proxy_only
.Op Fl proxy_rule Ar proxyspec
.Op Fl pptpalias Ar localIP
.Sh DESCRIPTION
This program provides a Network Address Translation facility for use
with
.Xr divert 4
sockets under FreeBSD. Most of the command line options are available
in a single character short form or in a long form. Use of the long
form is encouraged as it makes things clearer to the casual observer.
.Pp
.Nm Natd
normally runs in the background as a daemon. It is passed raw IP packets
as they travel into and out of the machine, and will possibly change these
before re-injecting them back into the IP packet stream.
.Pp
.Nm Natd
changes all packets destined for another host so that their source
IP number is that of the current machine. For each packet changed
in this manner, an internal table entry is created to record this
fact. The source port number is also changed to indicate the
table entry applying to the packet. Packets that are received with
a target IP of the current host are checked against this internal
table. If an entry is found, it is used to determine the correct
target IP number and port to place in the packet.
.Pp
The following command line options are available.
.Bl -tag -width Fl
.It Fl log | l
Log various aliasing statistics and information to the file
.Pa /var/log/alias.log .
This file is truncated each time natd is started.
.It Fl deny_incoming | d
Reject packets destined for the current IP number that have no entry
in the internal translation table.
.It Fl log_denied
Log denied incoming packets via syslog (see also log_facility)
.It Fl log_facility Ar facility_name
Use specified log facility when logging information via syslog.
Facility names are as in
.Xr syslog.conf 5
.It Fl use_sockets | s
Allocate a
.Xr socket 2
in order to establish an FTP data or IRC DCC send connection. This
option uses more system resources, but guarantees successful connections
when port numbers conflict.
.It Fl same_ports | m
Try to keep the same port number when altering outgoing packets.
With this option, protocols such as RPC will have a better chance
of working. If it is not possible to maintain the port number, it
will be silently changed as per normal.
.It Fl verbose | v
Don't call
.Xr fork 2
or
.Xr daemon 3
on startup. Instead, stay attached to the controling terminal and
display all packet alterations to the standard output. This option
should only be used for debugging purposes.
.It Fl unregistered_only | u
Only alter outgoing packets with an unregistered source address.
According to rfc 1918, unregistered source addresses are 10.0.0.0/8,
172.16.0.0/12 and 192.168.0.0/16.
.It Fl redirect_port Ar proto targetIP:targetPORT [aliasIP:]aliasPORT [remoteIP[:remotePORT]]
Redirect incoming connections arriving to given port to another host and port.
Proto is either tcp or udp, targetIP is the desired target IP
number, targetPORT is the desired target PORT number, aliasPORT
is the requested PORT number and aliasIP is the aliasing address.
RemoteIP and remotePORT can be used to specify the connection
more accurately if necessary.
For example, the argument
.Ar tcp inside1:telnet 6666
means that tcp packets destined for port 6666 on this machine will
be sent to the telnet port on the inside1 machine.
.It Fl redirect_address Ar localIP publicIP
Redirect traffic for public IP address to a machine on the local
network. This function is known as "static NAT". Normally static NAT
is useful if your ISP has allocated a small block of IP addresses to you,
but it can even be used in the case of single address:
redirect_address 10.0.0.8 0.0.0.0
The above command would redirect all incoming traffic
to machine 10.0.0.8.
If several address aliases specify the same public address
as follows
redirect_address 192.168.0.2 public_addr
redirect_address 192.168.0.3 public_addr
redirect_address 192.168.0.4 public_addr
the incoming traffic will be directed to the last
translated local address (192.168.0.4), but outgoing
traffic to the first two addresses will still be aliased
to specified public address.
.It Fl dynamic
If the
.Fl n
or
.Fl interface
option is used,
.Nm
will monitor the routing socket for alterations to the
.Ar interface
passed. If the interfaces IP number is changed,
.Nm
will dynamically alter its concept of the alias address.
.It Fl i | inport Ar inport
Read from and write to
.Ar inport ,
treating all packets as packets coming into the machine.
.It Fl o | outport Ar outport
Read from and write to
.Ar outport ,
treating all packets as packets going out of the machine.
.It Fl p | port Ar port
Read from and write to
.Ar port ,
distinguishing packets as incoming our outgoing using the rules specified in
.Xr divert 4 .
If
.Ar port
is not numeric, it is searched for in the
.Pa /etc/services
database using the
.Xr getservbyname 3
function. If this flag is not specified, the divert port named natd will
be used as a default. An example entry in the
.Pa /etc/services
database would be:
natd 8668/divert # Network Address Translation socket
Refer to
.Xr services 5
for further details.
.It Fl a | alias_address Ar address
Use
.Ar address
as the alias address. If this option is not specified, the
.Fl n
or
.Fl interface
option must be used. The specified address should be the address assigned
to the public network interface.
.Pp
All data passing out through this addresses interface will be rewritten
with a source address equal to
.Ar address .
All data arriving at the interface from outside will be checked to
see if it matches any already-aliased outgoing connection. If it does,
the packet is altered accordingly. If not, all
.Fl redirect_port
and
.Fl redirect_address
assignments are checked and actioned. If no other action can be made,
and if
.Fl deny_incoming
is not specified, the packet is delivered to the local machine and port
as specified in the packet.
.It Fl n | interface Ar interface
Use
.Ar interface
to determine the alias address. If there is a possibility that the
IP number associated with
.Ar interface
may change, the
.Fl dynamic
flag should also be used. If this option is not specified, the
.Fl a
or
.Fl alias_address
flag must be used.
.Pp
The specified
.Ar interface
must be the public network interface.
.It Fl f | config Ar configfile
Read configuration from
.Ar configfile .
.Ar Configfile
contains a list of options, one per line in the same form as the
long form of the above command line flags. For example, the line
alias_address 158.152.17.1
would specify an alias address of 158.152.17.1. Options that don't
take an argument are specified with an option of
.Ar yes
or
.Ar no
in the configuration file. For example, the line
log yes
is synonomous with
.Fl log .
Empty lines and lines beginning with '#' are ignored.
.It Fl reverse
Reverse operation of natd. This can be useful in some
transparent proxying situations when outgoing traffic
is redirected to the local machine and natd is running on the
incoming interface (it usually runs on the outgoing interface).
.It Fl proxy_only
Force natd to perform transparent proxying
only. Normal address translation is not performed.
.It Fl proxy_rule Ar [type encode_ip_hdr|encode_tcp_stream] port xxxx server a.b.c.d:yyyy
Enable transparent proxying. Packets with the given port going through this
host to any other host are redirected to the given server and port.
Optionally, the original target address can be encoded into the packet. Use
.Dq encode_ip_hdr
to put this information into the IP option field or
.Dq encode_tcp_stream
to inject the data into the beginning of the TCP stream.
.It Fl pptpalias Ar localIP
Allow PPTP packets to go to the defined localIP address. PPTP is a VPN or secure
IP tunneling technology being developed primarily by Microsoft. For its encrypted traffic,
it uses an old IP encapsulation protocol called GRE (47). This
natd option will translate any traffic of this protocol to a
single, specified IP address. This would allow either one client or one server
to be serviced with natd. If you are setting up a server, don't forget to allow the TCP traffic
for the PPTP setup. For a client or server, you must allow GRE (protocol 47) if you have firewall lists active.
.El
.Sh RUNNING NATD
The following steps are necessary before attempting to run
.Nm natd :
.Bl -enum
.It
Get FreeBSD version 2.2 or higher. Versions before this do not support
.Xr divert 4
sockets.
.It
Build a custom kernel with the following options:
options IPFIREWALL
options IPDIVERT
Refer to the handbook for detailed instructions on building a custom
kernel.
.It
Ensure that your machine is acting as a gateway. This can be done by
specifying the line
gateway_enable=YES
in
.Pa /etc/rc.conf ,
or using the command
sysctl -w net.inet.ip.forwarding=1
.It
If you wish to use the
.Fl n
or
.Fl interface
flags, make sure that your interface is already configured. If, for
example, you wish to specify tun0 as your
.Ar interface ,
and you're using
.Xr ppp 8
on that interface, you must make sure that you start
.Nm ppp
prior to starting
.Nm natd .
.It
Create an entry in
.Pa /etc/services :
natd 8668/divert # Network Address Translation socket
This gives a default for the
.Fl p
or
.Fl port
flag.
.El
.Pp
Running
.Nm
is fairly straight forward. The line
natd -interface ed0
should suffice in most cases (substituting the correct interface name). Once
.Nm
is running, you must ensure that traffic is diverted to natd:
.Bl -enum
.It
You will need to adjust the
.Pa /etc/rc.firewall
script to taste. If you're not interested in having a firewall, the
following lines will do:
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via ed0
/sbin/ipfw add pass all from any to any
The second line depends on your interface (change ed0 as appropriate)
and assumes that you've updated
.Pa /etc/services
with the natd entry as above. If you specify real firewall rules, it's
best to specify line 2 at the start of the script so that
.Nm
sees all packets before they are dropped by the firewall. The firewall
rules will be run again on each packet after translation by
.Nm natd ,
minus any divert rules.
.It
Enable your firewall by setting
firewall_enable=YES
in
.Pa /etc/rc.conf .
This tells the system startup scripts to run the
.Pa /etc/rc.firewall
script. If you don't wish to reboot now, just run this by hand from the
console. NEVER run this from a virtual session unless you put it into
the background. If you do, you'll lock yourself out after the flush
takes place, and execution of
.Pa /etc/rc.firewall
will stop at this point - blocking all accesses permanently. Running
the script in the background should be enough to prevent this disaster.
.El
.Sh SEE ALSO
.Xr getservbyname 2 ,
.Xr socket 2 ,
.Xr divert 4 ,
.Xr services 5 ,
.Xr ipfw 8
.Sh AUTHORS
This program is the result of the efforts of many people at different
times:
.An Archie Cobbs Aq archie@whistle.com
(divert sockets)
.An Charles Mott Aq cmott@srv.net
(packet aliasing)
.An Eivind Eklund Aq perhaps@yes.no
(IRC support & misc additions)
.An Ari Suutari Aq suutari@iki.fi
(natd)
.An Dru Nelson Aq dnelson@redwoodsoft.com
(PPTP support)
.An Brian Somers Aq brian@awfulhak.org
(glue)

File diff suppressed because it is too large Load Diff

View File

@ -1,24 +0,0 @@
/*
* natd - Network Address Translation Daemon for FreeBSD.
*
* This software is provided free of charge, with no
* warranty of any kind, either expressed or implied.
* Use at your own risk.
*
* You may copy, modify and distribute this software (natd.h) freely.
*
* Ari Suutari <suutari@iki.fi>
*
* $Id:$
*/
#define PIDFILE "/var/run/natd.pid"
#define INPUT 1
#define OUTPUT 2
#define DONT_KNOW 3
extern void Quit (char* msg);
extern void Warn (char* msg);
extern int SendNeedFragIcmp (int sock, struct ip* failedDgram, int mtu);

View File

@ -1,94 +0,0 @@
#
# $Id:$
#
#
# Configuration file for natd.
#
#
# Enable logging to file /var/log/alias.log
#
log no
#
# Incoming connections. Should NEVER be set to "yes" if redirect_port,
# redirect_address, or permanent_link statements are activated in this file!
#
# Setting to yes provides additional anti-crack protection
#
deny_incoming no
#
# Use sockets to avoid port clashes. Uses additional system resources, but
# guarantees successful connections when port numbers conflict
#
use_sockets no
#
# Avoid port changes if possible when altering outbound packets. Makes rlogin
# work in most cases.
#
same_port yes
#
# Verbose mode. Enables dumping of packets and disables
# forking to background. Only set to yes for debugging.
#
verbose no
#
# Divert port. Can be a name in /etc/services or numeric value.
#
port 32000
#
# Interface name or address being aliased. Either one,
# not both is required.
#
# Obtain interface name from the command output of "ifconfig -a"
#
# alias_address 192.168.0.1
interface ep0
#
# Alias unregistered addresses or all addresses. Set this to yes if
# the inside network is all RFC1918 addresses.
#
unregistered_only no
#
# Configure permanent links. If you use host names instead
# of addresses here, be sure that name server works BEFORE
# natd is up - this is usually not the case. So either use
# numeric addresses or hosts that are in /etc/hosts.
#
# Note: Current versions of FreeBSD all call /etc/rc.firewall
# BEFORE running named, so if the DNS server and NAT are on the same
# machine, the nameserver won't be up if natd is called from /etc/rc.firewall
#
# Map connections coming to port 30000 to telnet in my_private_host.
# Remember to allow the connection /etc/rc.firewall also.
#
# The following permanent_link and redirect_port statements are equivalent
#permanent_link tcp my_private_host:telnet 0.0.0.0:0 30000
#redirect_port tcp my_private_host:telnet 30000
#
# Map connections coming from host.xyz.com to port 30001 to
# telnet in another_host.
#permanent_link tcp another_host:telnet host.xyz.com:0 30001
#
# Static NAT address mapping:
#
# ipconfig must apply any legal IP numbers that inside hosts
# will be known by to the outside interface. These are sometimes known as
# virtual IP numbers. It's suggested to use the "interface" directive
# instead of the "alias_address" directive to make it more clear what is
# going on. (although both will work)
#
# DNS in this situation can get hairy. For example, an inside host
# named aweb.company.com is located at 192.168.1.56, and needs to be
# accessible through a legal IP number like 198.105.232.1. If both
# 192.168.1.56 and 198.105.232.1 are set up as address records in the DNS
# for aweb.company.com, then external hosts attempting to access
# aweb.company.com may use address 192.168.1.56 which is inaccessible to them.
#
# The obvious solution is to use only a single address for the name, the
# outside address. However, this creates needless traffic through the
# NAT, because inside hosts will go through the NAT to get to the legal
# number, even when the inside number is on the same subnet as they are!
#
# It's probably not a good idea to use DNS names in redirect_address statements
#
#The following mapping points outside address 198.105.232.1 to 192.168.1.56
#redirect_address 192.168.1.56 198.105.232.1

View File

@ -1,14 +0,0 @@
#!/bin/sh
if [ $# != 1 ]
then
echo "usage: natd.test ifname"
exit 1
fi
ipfw flush
ipfw add divert 32000 ip from any to any via $1
ipfw add pass ip from any to any
./natd -port 32000 -interface $1 -verbose