From 32fa3677a8083c70d242824956c7b82404b3e624 Mon Sep 17 00:00:00 2001 From: brian Date: Sat, 4 Jul 1998 12:07:03 +0000 Subject: Make things clearer. Submitted (some time ago) by: Ted Mittelstaedt --- sbin/natd/samples/natd.cf.sample | 56 +++++++++++++++++++++++++++++++++++----- 1 file changed, 49 insertions(+), 7 deletions(-) (limited to 'sbin/natd') diff --git a/sbin/natd/samples/natd.cf.sample b/sbin/natd/samples/natd.cf.sample index 46eee91..df1018b 100644 --- a/sbin/natd/samples/natd.cf.sample +++ b/sbin/natd/samples/natd.cf.sample @@ -1,26 +1,33 @@ # +# $Id:$ +# +# # Configuration file for natd. # # -# Logging to /var/log +# Enable logging to file /var/log/alias.log # log no # -# Incoming connections. +# Incoming connections. Should NEVER be set to "yes" if redirect_port, +# redirect_address, or permanent_link statements are activated in this file! +# +# Setting to yes provides additional anti-crack protection # deny_incoming no # -# Use sockets to avoid port clashes. +# Use sockets to avoid port clashes. Uses additional system resources, but +# guarantees successful connections when port numbers conflict # use_sockets no # -# Avoid port changes if possible. Makes rlogin work -# in most cases. +# Avoid port changes if possible when altering outbound packets. Makes rlogin +# work in most cases. # same_port yes # # Verbose mode. Enables dumping of packets and disables -# forking to background. +# forking to background. Only set to yes for debugging. # verbose no # @@ -31,10 +38,13 @@ port 32000 # Interface name or address being aliased. Either one, # not both is required. # +# Obtain interface name from the command output of "ifconfig -a" +# # alias_address 192.168.0.1 interface ep0 # -# Alias unregistered addresses or all addresses. +# Alias unregistered addresses or all addresses. Set this to yes if +# the inside network is all RFC1918 addresses. # unregistered_only no # @@ -43,10 +53,42 @@ unregistered_only no # natd is up - this is usually not the case. So either use # numeric addresses or hosts that are in /etc/hosts. # +# Note: Current versions of FreeBSD all call /etc/rc.firewall +# BEFORE running named, so if the DNS server and NAT are on the same +# machine, the nameserver won't be up if natd is called from /etc/rc.firewall +# # Map connections coming to port 30000 to telnet in my_private_host. # Remember to allow the connection /etc/rc.firewall also. +# +# The following permanent_link and redirect_port statements are equivalent #permanent_link tcp my_private_host:telnet 0.0.0.0:0 30000 +#redirect_port tcp my_private_host:telnet 30000 # # Map connections coming from host.xyz.com to port 30001 to # telnet in another_host. #permanent_link tcp another_host:telnet host.xyz.com:0 30001 +# +# Static NAT address mapping: +# +# ipconfig must apply any legal IP numbers that inside hosts +# will be known by to the outside interface. These are sometimes known as +# virtual IP numbers. It's suggested to use the "interface" directive +# instead of the "alias_address" directive to make it more clear what is +# going on. (although both will work) +# +# DNS in this situation can get hairy. For example, an inside host +# named aweb.company.com is located at 192.168.1.56, and needs to be +# accessible through a legal IP number like 198.105.232.1. If both +# 192.168.1.56 and 198.105.232.1 are set up as address records in the DNS +# for aweb.company.com, then external hosts attempting to access +# aweb.company.com may use address 192.168.1.56 which is inaccessible to them. +# +# The obvious solution is to use only a single address for the name, the +# outside address. However, this creates needless traffic through the +# NAT, because inside hosts will go through the NAT to get to the legal +# number, even when the inside number is on the same subnet as they are! +# +# It's probably not a good idea to use DNS names in redirect_address statements +# +#The following mapping points outside address 198.105.232.1 to 192.168.1.56 +#redirect_address 192.168.1.56 198.105.232.1 -- cgit v1.1