124084f9bSBrian Somers# 2357f1728SBrian Somers# 3357f1728SBrian Somers# 424084f9bSBrian Somers# Configuration file for natd. 524084f9bSBrian Somers# 624084f9bSBrian Somers# 7357f1728SBrian Somers# Enable logging to file /var/log/alias.log 824084f9bSBrian Somers# 924084f9bSBrian Somerslog no 1024084f9bSBrian Somers# 11578d29ddSRuslan Ermilov# Incoming connections. Should NEVER be set to "yes" if redirect_port 12578d29ddSRuslan Ermilov# or redirect_address statements are activated in this file! 13357f1728SBrian Somers# 14357f1728SBrian Somers# Setting to yes provides additional anti-crack protection 1524084f9bSBrian Somers# 1624084f9bSBrian Somersdeny_incoming no 1724084f9bSBrian Somers# 18357f1728SBrian Somers# Use sockets to avoid port clashes. Uses additional system resources, but 19357f1728SBrian Somers# guarantees successful connections when port numbers conflict 2024084f9bSBrian Somers# 2124084f9bSBrian Somersuse_sockets no 2224084f9bSBrian Somers# 23357f1728SBrian Somers# Avoid port changes if possible when altering outbound packets. Makes rlogin 24357f1728SBrian Somers# work in most cases. 2524084f9bSBrian Somers# 268ee64ab6SSADA Kenjisame_ports yes 2724084f9bSBrian Somers# 2824084f9bSBrian Somers# Verbose mode. Enables dumping of packets and disables 29357f1728SBrian Somers# forking to background. Only set to yes for debugging. 3024084f9bSBrian Somers# 3124084f9bSBrian Somersverbose no 3224084f9bSBrian Somers# 3324084f9bSBrian Somers# Divert port. Can be a name in /etc/services or numeric value. 3424084f9bSBrian Somers# 3524084f9bSBrian Somersport 32000 3624084f9bSBrian Somers# 3724084f9bSBrian Somers# Interface name or address being aliased. Either one, 3824084f9bSBrian Somers# not both is required. 3924084f9bSBrian Somers# 40357f1728SBrian Somers# Obtain interface name from the command output of "ifconfig -a" 41357f1728SBrian Somers# 4224084f9bSBrian Somers# alias_address 192.168.0.1 4324084f9bSBrian Somersinterface ep0 4424084f9bSBrian Somers# 45357f1728SBrian Somers# Alias unregistered addresses or all addresses. Set this to yes if 46357f1728SBrian Somers# the inside network is all RFC1918 addresses. 4724084f9bSBrian Somers# 4824084f9bSBrian Somersunregistered_only no 4924084f9bSBrian Somers# 5024084f9bSBrian Somers# Configure permanent links. If you use host names instead 5124084f9bSBrian Somers# of addresses here, be sure that name server works BEFORE 5224084f9bSBrian Somers# natd is up - this is usually not the case. So either use 5324084f9bSBrian Somers# numeric addresses or hosts that are in /etc/hosts. 5424084f9bSBrian Somers# 55357f1728SBrian Somers# Note: Current versions of FreeBSD all call /etc/rc.firewall 56357f1728SBrian Somers# BEFORE running named, so if the DNS server and NAT are on the same 57357f1728SBrian Somers# machine, the nameserver won't be up if natd is called from /etc/rc.firewall 58357f1728SBrian Somers# 5924084f9bSBrian Somers# Map connections coming to port 30000 to telnet in my_private_host. 6024084f9bSBrian Somers# Remember to allow the connection /etc/rc.firewall also. 61357f1728SBrian Somers# 62357f1728SBrian Somers#redirect_port tcp my_private_host:telnet 30000 6324084f9bSBrian Somers# 6424084f9bSBrian Somers# Map connections coming from host.xyz.com to port 30001 to 6524084f9bSBrian Somers# telnet in another_host. 66578d29ddSRuslan Ermilov#redirect_port tcp another_host:telnet 30001 host.xyz.com 67357f1728SBrian Somers# 68357f1728SBrian Somers# Static NAT address mapping: 69357f1728SBrian Somers# 70357f1728SBrian Somers# ipconfig must apply any legal IP numbers that inside hosts 71357f1728SBrian Somers# will be known by to the outside interface. These are sometimes known as 72357f1728SBrian Somers# virtual IP numbers. It's suggested to use the "interface" directive 73357f1728SBrian Somers# instead of the "alias_address" directive to make it more clear what is 74357f1728SBrian Somers# going on. (although both will work) 75357f1728SBrian Somers# 76357f1728SBrian Somers# DNS in this situation can get hairy. For example, an inside host 77357f1728SBrian Somers# named aweb.company.com is located at 192.168.1.56, and needs to be 78357f1728SBrian Somers# accessible through a legal IP number like 198.105.232.1. If both 79357f1728SBrian Somers# 192.168.1.56 and 198.105.232.1 are set up as address records in the DNS 80357f1728SBrian Somers# for aweb.company.com, then external hosts attempting to access 81357f1728SBrian Somers# aweb.company.com may use address 192.168.1.56 which is inaccessible to them. 82357f1728SBrian Somers# 83357f1728SBrian Somers# The obvious solution is to use only a single address for the name, the 84357f1728SBrian Somers# outside address. However, this creates needless traffic through the 85357f1728SBrian Somers# NAT, because inside hosts will go through the NAT to get to the legal 86357f1728SBrian Somers# number, even when the inside number is on the same subnet as they are! 87357f1728SBrian Somers# 88357f1728SBrian Somers# It's probably not a good idea to use DNS names in redirect_address statements 89357f1728SBrian Somers# 90357f1728SBrian Somers#The following mapping points outside address 198.105.232.1 to 192.168.1.56 91357f1728SBrian Somers#redirect_address 192.168.1.56 198.105.232.1 92