126781Sbrian# 250476Speter# $FreeBSD$ 337374Sbrian# 437374Sbrian# 526781Sbrian# Configuration file for natd. 626781Sbrian# 726781Sbrian# 837374Sbrian# Enable logging to file /var/log/alias.log 926781Sbrian# 1026781Sbrianlog no 1126781Sbrian# 1251242Sru# Incoming connections. Should NEVER be set to "yes" if redirect_port 1351242Sru# or redirect_address statements are activated in this file! 1426781Sbrian# 1537374Sbrian# Setting to yes provides additional anti-crack protection 1637374Sbrian# 1726781Sbriandeny_incoming no 1826781Sbrian# 1937374Sbrian# Use sockets to avoid port clashes. Uses additional system resources, but 2037374Sbrian# guarantees successful connections when port numbers conflict 2126781Sbrian# 2226781Sbrianuse_sockets no 2326781Sbrian# 2437374Sbrian# Avoid port changes if possible when altering outbound packets. Makes rlogin 2537374Sbrian# work in most cases. 2626781Sbrian# 2745970Ssadasame_ports yes 2826781Sbrian# 2926781Sbrian# Verbose mode. Enables dumping of packets and disables 3037374Sbrian# forking to background. Only set to yes for debugging. 3126781Sbrian# 3226781Sbrianverbose no 3326781Sbrian# 3426781Sbrian# Divert port. Can be a name in /etc/services or numeric value. 3526781Sbrian# 3626781Sbrianport 32000 3726781Sbrian# 3826781Sbrian# Interface name or address being aliased. Either one, 3926781Sbrian# not both is required. 4026781Sbrian# 4137374Sbrian# Obtain interface name from the command output of "ifconfig -a" 4237374Sbrian# 4326781Sbrian# alias_address 192.168.0.1 4426781Sbrianinterface ep0 4526781Sbrian# 4637374Sbrian# Alias unregistered addresses or all addresses. Set this to yes if 4751242Sru# the inside network is all RFC1918 addresses. 4826781Sbrian# 4926781Sbrianunregistered_only no 5026781Sbrian# 5126781Sbrian# Configure permanent links. If you use host names instead 5226781Sbrian# of addresses here, be sure that name server works BEFORE 5326781Sbrian# natd is up - this is usually not the case. So either use 5426781Sbrian# numeric addresses or hosts that are in /etc/hosts. 5526781Sbrian# 5637374Sbrian# Note: Current versions of FreeBSD all call /etc/rc.firewall 5751242Sru# BEFORE running named, so if the DNS server and NAT are on the same 5837374Sbrian# machine, the nameserver won't be up if natd is called from /etc/rc.firewall 5937374Sbrian# 6026781Sbrian# Map connections coming to port 30000 to telnet in my_private_host. 6126781Sbrian# Remember to allow the connection /etc/rc.firewall also. 6237374Sbrian# 6337374Sbrian#redirect_port tcp my_private_host:telnet 30000 6426781Sbrian# 6551242Sru# Map connections coming from host.xyz.com to port 30001 to 6626781Sbrian# telnet in another_host. 6751242Sru#redirect_port tcp another_host:telnet 30001 host.xyz.com 6837374Sbrian# 6937374Sbrian# Static NAT address mapping: 7037374Sbrian# 7137374Sbrian# ipconfig must apply any legal IP numbers that inside hosts 7237374Sbrian# will be known by to the outside interface. These are sometimes known as 7337374Sbrian# virtual IP numbers. It's suggested to use the "interface" directive 7437374Sbrian# instead of the "alias_address" directive to make it more clear what is 7537374Sbrian# going on. (although both will work) 7637374Sbrian# 7737374Sbrian# DNS in this situation can get hairy. For example, an inside host 7851242Sru# named aweb.company.com is located at 192.168.1.56, and needs to be 7937374Sbrian# accessible through a legal IP number like 198.105.232.1. If both 8037374Sbrian# 192.168.1.56 and 198.105.232.1 are set up as address records in the DNS 8137374Sbrian# for aweb.company.com, then external hosts attempting to access 8237374Sbrian# aweb.company.com may use address 192.168.1.56 which is inaccessible to them. 8337374Sbrian# 8437374Sbrian# The obvious solution is to use only a single address for the name, the 8537374Sbrian# outside address. However, this creates needless traffic through the 8637374Sbrian# NAT, because inside hosts will go through the NAT to get to the legal 8737374Sbrian# number, even when the inside number is on the same subnet as they are! 8837374Sbrian# 8937374Sbrian# It's probably not a good idea to use DNS names in redirect_address statements 9037374Sbrian# 9137374Sbrian#The following mapping points outside address 198.105.232.1 to 192.168.1.56 9237374Sbrian#redirect_address 192.168.1.56 198.105.232.1 93