In article <[EMAIL PROTECTED]> you write:
># allow everything to the another building >add allow ip from any to 172.27.40.0/23 >add divert natd ip from any to any via xl0 >add allow ip from any to any I'm not familiar with natd but I guess this means that traffic towards 172.27.40.0/23 should not be NATted but the rest should. >my internal network is 172.27.0.0/23 and the network in the other building is >172.27.40.0/23. Their configuration is correct as they are able to >masquerade with another building succesfully. Now, what we were doing is >allow our workstations to use their services one with another. So a station >from the other building (let's say 172.27.40.133) was able to ftp, telnet, >ssh to a station in my building (for instance 172.27.1.5). So what was sent >to the other building was sent "un-masqueraded" (the divert rule came after allow). >Also >we had to add a route like: >"route add -net 172.27.40.0 otherbuilding 255.255.254.0". > >-- ipnat.rules -- >map xl0 172.27.0.0/23 -> x.x.x.x/32 proxy port ftp ftp/tcp >map xl0 from 172.27.0.0/23 to any -> x.x.x.x/32 Try something like this: map xl0 from 172.27.0.0/23 to 172.27.40.0/23 -> 0/0 proxy port ftp ftp/tcp map xl0 from 172.27.0.0/23 to 172.27.40.0/23 -> 0/0 map xl0 from 172.27.0.0/23 to any -> x.x.x.x/32 proxy port ftp ftp/tcp map xl0 from 172.27.0.0/23 to any -> x.x.x.x/32 0/0 is a special directive to indicate that no NAT-ing should take place (0/32 is shorthand for the current IP address of the xl0 interface, useful if that address is obtained via DHCP). The first two rules say that traffic from 172.27.0.0/23 towards 172.27.40.0/23 should not be natted (but the kernel ftp proxy is still used in this case). The rest will be NAT-ed to x.x.x.x. >-- rc.conf -- >ipfilter_enable="YES" >ipfilter_program="/sbin/ipf -Fa -f" >ipfilter_flags="" >ipfilter_rules="/etc/ipf.rules" >ipnat_enable="YES" >ipnat_program="/sbin/ipnat -CF -f" >ipnat_rules="/etc/ipnat.rules" >ipmon_enable="YES" >ipmon_program="/sbin/ipmon" >ipmon_flags="-Ds" You only need the _enable variables here. >Dunno what more to say... does anyone have any ideas? Have I forgotten >something or is ipnat dumber than natd? Nope :) Arjan -- Arjan de Vet, Eindhoven, The Netherlands <[EMAIL PROTECTED]> URL : http://www.iae.nl/users/devet/ <[EMAIL PROTECTED]> Work: http://www.madison-gurkha.com/ (Security, Open Source, Education) To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
