xref: /freebsd/sbin/natd/samples/natd.cf.sample (revision d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf) 
1#
2#
3#
4# Configuration file for natd.
5#
6#
7# Enable logging to file /var/log/alias.log
8#
9log		no
10#
11# Incoming connections.  Should NEVER be set to "yes" if redirect_port
12# or redirect_address statements are activated in this file!
13#
14# Setting to yes provides additional anti-crack protection
15#
16deny_incoming	no
17#
18# Use sockets to avoid port clashes.  Uses additional system resources, but
19# guarantees successful connections when port numbers conflict
20#
21use_sockets	no
22#
23# Avoid port changes if possible when altering outbound packets. Makes rlogin
24# work in most cases.
25#
26same_ports	yes
27#
28# Verbose mode. Enables dumping of packets and disables
29# forking to background.  Only set to yes for debugging.
30#
31verbose		no
32#
33# Divert port. Can be a name in /etc/services or numeric value.
34#
35port		32000
36#
37# Interface name or address being aliased. Either one,
38# not both is required.
39#
40# Obtain interface name from the command output of "ifconfig -a"
41#
42# alias_address	192.168.0.1
43interface	ep0
44#
45# Alias unregistered addresses or all addresses.  Set this to yes if
46# the inside network is all RFC1918 addresses.
47#
48unregistered_only	no
49#
50# Configure permanent links. If you use host names instead
51# of addresses here, be sure that name server works BEFORE
52# natd is up - this is usually not the case. So either use
53# numeric addresses or hosts that are in /etc/hosts.
54#
55# Note:  Current versions of FreeBSD all call /etc/rc.firewall
56# BEFORE running named, so if the DNS server and NAT are on the same
57# machine, the nameserver won't be up if natd is called from /etc/rc.firewall
58#
59# Map connections coming to port 30000 to telnet in my_private_host.
60# Remember to allow the connection /etc/rc.firewall also.
61#
62#redirect_port		tcp my_private_host:telnet 30000
63#
64# Map connections coming from host.xyz.com to port 30001 to
65# telnet in another_host.
66#redirect_port		tcp another_host:telnet 30001 host.xyz.com
67#
68# Static NAT address mapping:
69#
70#  ipconfig must apply any legal IP numbers that inside hosts
71# will be known by to the outside interface.  These are sometimes known as
72# virtual IP numbers.  It's suggested to use the "interface" directive
73# instead of the "alias_address" directive to make it more clear what is
74# going on. (although both will work)
75#
76# DNS in this situation can get hairy.  For example, an inside host
77# named aweb.company.com is located at 192.168.1.56, and needs to be
78# accessible through a legal IP number like 198.105.232.1.  If both
79# 192.168.1.56 and 198.105.232.1 are set up as address records in the DNS
80# for aweb.company.com, then external hosts attempting to access
81# aweb.company.com may use address 192.168.1.56 which is inaccessible to them.
82#
83# The obvious solution is to use only a single address for the name, the
84# outside address.  However, this creates needless traffic through the
85# NAT, because inside hosts will go through the NAT to get to the legal
86# number, even when the inside number is on the same subnet as they are!
87#
88# It's probably not a good idea to use DNS names in redirect_address statements
89#
90#The following mapping points outside address 198.105.232.1 to 192.168.1.56
91#redirect_address  192.168.1.56		198.105.232.1
92