On Fri, Aug 06, 2004 at 10:50:39PM +0400, Andrew said: > Hi! > > What is the best way to retain most of the NAT functionality? > If you are happy to not know what Wingate is, try to assume that it is > just another nat-box. Can bsd somehow "forward" connection, so that the > nat-box almost feels like it has a real IP?
Perhaps you should let your router do all the PPP, and then set the default gateway on the hosts of your network to your FreeBSD machine (with it's gateway set to the router). However, if you're initiating a PPPoE session from FreeBSD or have some other way that this is working, then you need only add the following lines to FreeBSD to support NAT: in /etc/rc.conf, add: router_enable="YES" gateway_enable="YES" You should also consider adding, especially if your BSD machine is live to the Internet, and not behind NAT itself: firewall_enable="YES" firewall_type="/etc/rc.firewall.rules" where /etc/rc.firewall.rules is a plain text file in the following firewall rule format: [EMAIL PROTECTED] /]$ less /etc/rc.firewall.rules add allow tcp from any to any 21 add allow tcp from any to any 25 add allow tcp from any to any 113 add allow udp from any to any 53 keep-state add allow tcp from any to any 53 add allow udp from any to any 123 keep-state add allow tcp from any to any 80 add allow tcp from any to any 22 add allow ip from me to any add allow icmp from any to any add allow ip from 10.0.0.0/24 to any add allow tcp from any to any established add allow ip from any to any frag As you can see above, the rules I've included allow traffic from any to any on several ports (ftp/dns/www/ssh, etc) and then the following five lines allow IP, ICMP, IP traffic from the 10.0.0.0/24 network, and 'add allow tcp from any to any established' (which is very important for NAT behind a firewall) and frag (fragmented connections). If you implement a firewall you will need that 'established' line, because it allows TCP/IP traffic to flow from any host on the Internet to any host via the socket (TCP connection to a host on a specific port) that was established by the NAT client who initiated the connection. ie, if client 10.0.0.1 requests http://www.freebsd.org:80, the NAT gateway, according to 'allow tcp from any to any established' will allow traffic to flow between www.freebsd.org to 10.0.0.1 on port 80 for the life of the open socket. Once that socket is closed by either end, it means the client or the remote server can no longer communicate to each other unless a new socket is opened by the NAT client. Cheers, -- Adam Smith Internode : http://www.internode.on.net Phone : (08) 8228 2999 Dog for sale: Eats lots and is fond of children. _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
