natd.cf.sample revision 45970
126781Sbrian# 245970Ssada# $Id: natd.cf.sample,v 1.2 1998/07/04 12:07:03 brian Exp $ 337374Sbrian# 437374Sbrian# 526781Sbrian# Configuration file for natd. 626781Sbrian# 726781Sbrian# 837374Sbrian# Enable logging to file /var/log/alias.log 926781Sbrian# 1026781Sbrianlog no 1126781Sbrian# 1237374Sbrian# Incoming connections. Should NEVER be set to "yes" if redirect_port, 1337374Sbrian# redirect_address, or permanent_link statements are activated in this file! 1426781Sbrian# 1537374Sbrian# Setting to yes provides additional anti-crack protection 1637374Sbrian# 1726781Sbriandeny_incoming no 1826781Sbrian# 1937374Sbrian# Use sockets to avoid port clashes. Uses additional system resources, but 2037374Sbrian# guarantees successful connections when port numbers conflict 2126781Sbrian# 2226781Sbrianuse_sockets no 2326781Sbrian# 2437374Sbrian# Avoid port changes if possible when altering outbound packets. Makes rlogin 2537374Sbrian# work in most cases. 2626781Sbrian# 2745970Ssadasame_ports yes 2826781Sbrian# 2926781Sbrian# Verbose mode. Enables dumping of packets and disables 3037374Sbrian# forking to background. Only set to yes for debugging. 3126781Sbrian# 3226781Sbrianverbose no 3326781Sbrian# 3426781Sbrian# Divert port. Can be a name in /etc/services or numeric value. 3526781Sbrian# 3626781Sbrianport 32000 3726781Sbrian# 3826781Sbrian# Interface name or address being aliased. Either one, 3926781Sbrian# not both is required. 4026781Sbrian# 4137374Sbrian# Obtain interface name from the command output of "ifconfig -a" 4237374Sbrian# 4326781Sbrian# alias_address 192.168.0.1 4426781Sbrianinterface ep0 4526781Sbrian# 4637374Sbrian# Alias unregistered addresses or all addresses. Set this to yes if 4737374Sbrian# the inside network is all RFC1918 addresses. 4826781Sbrian# 4926781Sbrianunregistered_only no 5026781Sbrian# 5126781Sbrian# Configure permanent links. If you use host names instead 5226781Sbrian# of addresses here, be sure that name server works BEFORE 5326781Sbrian# natd is up - this is usually not the case. So either use 5426781Sbrian# numeric addresses or hosts that are in /etc/hosts. 5526781Sbrian# 5637374Sbrian# Note: Current versions of FreeBSD all call /etc/rc.firewall 5737374Sbrian# BEFORE running named, so if the DNS server and NAT are on the same 5837374Sbrian# machine, the nameserver won't be up if natd is called from /etc/rc.firewall 5937374Sbrian# 6026781Sbrian# Map connections coming to port 30000 to telnet in my_private_host. 6126781Sbrian# Remember to allow the connection /etc/rc.firewall also. 6237374Sbrian# 6337374Sbrian# The following permanent_link and redirect_port statements are equivalent 6426781Sbrian#permanent_link tcp my_private_host:telnet 0.0.0.0:0 30000 6537374Sbrian#redirect_port tcp my_private_host:telnet 30000 6626781Sbrian# 6726781Sbrian# Map connections coming from host.xyz.com to port 30001 to 6826781Sbrian# telnet in another_host. 6926781Sbrian#permanent_link tcp another_host:telnet host.xyz.com:0 30001 7037374Sbrian# 7137374Sbrian# Static NAT address mapping: 7237374Sbrian# 7337374Sbrian# ipconfig must apply any legal IP numbers that inside hosts 7437374Sbrian# will be known by to the outside interface. These are sometimes known as 7537374Sbrian# virtual IP numbers. It's suggested to use the "interface" directive 7637374Sbrian# instead of the "alias_address" directive to make it more clear what is 7737374Sbrian# going on. (although both will work) 7837374Sbrian# 7937374Sbrian# DNS in this situation can get hairy. For example, an inside host 8037374Sbrian# named aweb.company.com is located at 192.168.1.56, and needs to be 8137374Sbrian# accessible through a legal IP number like 198.105.232.1. If both 8237374Sbrian# 192.168.1.56 and 198.105.232.1 are set up as address records in the DNS 8337374Sbrian# for aweb.company.com, then external hosts attempting to access 8437374Sbrian# aweb.company.com may use address 192.168.1.56 which is inaccessible to them. 8537374Sbrian# 8637374Sbrian# The obvious solution is to use only a single address for the name, the 8737374Sbrian# outside address. However, this creates needless traffic through the 8837374Sbrian# NAT, because inside hosts will go through the NAT to get to the legal 8937374Sbrian# number, even when the inside number is on the same subnet as they are! 9037374Sbrian# 9137374Sbrian# It's probably not a good idea to use DNS names in redirect_address statements 9237374Sbrian# 9337374Sbrian#The following mapping points outside address 198.105.232.1 to 192.168.1.56 9437374Sbrian#redirect_address 192.168.1.56 198.105.232.1 95