diff options
author | Ruslan Ermilov <ru@FreeBSD.org> | 2000-11-16 12:20:54 +0000 |
---|---|---|
committer | Ruslan Ermilov <ru@FreeBSD.org> | 2000-11-16 12:20:54 +0000 |
commit | d2a46bc99d53e1701885277035a6b17ca58f2f2b (patch) | |
tree | b0831b7d14aa5367553618d395669538ed87bca1 /sbin/natd/natd.8 | |
parent | d5c58b9b787cd0a8ee22511b177977ab4f64fc4f (diff) | |
download | src-d2a46bc99d53e1701885277035a6b17ca58f2f2b.tar.gz src-d2a46bc99d53e1701885277035a6b17ca58f2f2b.zip |
Describe -deny_incoming better, highlight some keywords,
add myself to the AUTHORS section.
Notes
Notes:
svn path=/head/; revision=68823
Diffstat (limited to 'sbin/natd/natd.8')
-rw-r--r-- | sbin/natd/natd.8 | 79 |
1 files changed, 57 insertions, 22 deletions
diff --git a/sbin/natd/natd.8 b/sbin/natd/natd.8 index 04a2c9b5f561..a9691ff536aa 100644 --- a/sbin/natd/natd.8 +++ b/sbin/natd/natd.8 @@ -7,6 +7,7 @@ .Nd Network Address Translation Daemon .Sh SYNOPSIS .Nm natd +.Bk -words .Op Fl unregistered_only | u .Op Fl log | l .Op Fl proxy_only @@ -30,6 +31,7 @@ .Op Fl log_denied .Op Fl log_facility Ar facility_name .Op Fl punch_fw Ar firewall_range +.Ek .Sh DESCRIPTION This program provides a Network Address Translation facility for use with @@ -60,7 +62,7 @@ checked against this internal table. If an entry is found, it is used to determine the correct target IP number and port to place in the packet. .Pp -The following command line options are available. +The following command line options are available: .Bl -tag -width Fl .It Fl log | l Log various aliasing statistics and information to the file @@ -69,8 +71,13 @@ This file is truncated each time .Nm is started. .It Fl deny_incoming | d -Do not pass packets destined for the current IP number that have no +Do not pass incoming packets that have no entry in the internal translation table. +.Pp +If this option is not used, then such a packet will be altered +using the rules in +.Fl target_address +below, and the entry will be made in the internal translation table. .It Fl log_denied Log denied incoming packets via .Xr syslog 3 @@ -101,7 +108,7 @@ changed as per normal. Do not call .Xr daemon 3 on startup. -Instead, stay attached to the controling terminal and display all packet +Instead, stay attached to the controlling terminal and display all packet alterations to the standard output. This option should only be used for debugging purposes. .It Fl unregistered_only | u @@ -267,17 +274,28 @@ If the interface's IP number is changed, will dynamically alter its concept of the alias address. .It Fl in_port | i Ar port Read from and write to +.Xr divert 4 +port .Ar port , -treating all packets as packets coming into the machine. +treating all packets as +.Dq incoming . .It Fl out_port | o Ar port Read from and write to +.Xr divert 4 +port .Ar port , -treating all packets as packets going out of the machine. +treating all packets as +.Dq outgoing . .It Fl port | p Ar port Read from and write to +.Xr divert 4 +port .Ar port , -distinguishing packets as incoming our outgoing using the rules -specified in +distinguishing packets as +.Dq incoming +or +.Dq outgoing +using the rules specified in .Xr divert 4 . If .Ar port @@ -285,7 +303,7 @@ is not numeric, it is searched for in the .Xr services 5 database. If this option is not specified, the divert port named -.Em natd +.Ar natd will be used as a default. .It Fl alias_address | a Ar address Use @@ -295,7 +313,8 @@ If this option is not specified, the .Fl interface option must be used. The specified address is usually the address assigned to the -public network interface. +.Dq public +network interface. .Pp All data passing .Em out @@ -314,8 +333,8 @@ and assignments are checked and actioned. If no other action can be made and if .Fl deny_incoming -is not specified, the packet is delivered unaltered to the local -machine and port as specified in the packet, but see the +is not specified, the packet is delivered to the local machine +using the rules specified in .Fl target_address option below. .It Fl t | target_address Ar address @@ -352,7 +371,11 @@ option must be used. .Pp The specified .Ar interface -is usually the public network interface. +is usually the +.Dq public +(or +.Dq external ) +network interface. .It Fl config | f Ar file Read configuration from .Ar file . @@ -365,7 +388,7 @@ For example, the line .Dl alias_address 158.152.17.1 .Pp would specify an alias address of 158.152.17.1. -Options that do not take an argument are specified with an option of +Options that do not take an argument are specified with an argument of .Ar yes or .Ar no @@ -384,9 +407,15 @@ sign will mark the rest of the line as a comment. .It Fl reverse This option makes .Nm -reverse the way it handles incoming and outgoing packets, -allowing it to operate on the internal interface rather than -the external one. +reverse the way it handles +.Dq incoming +and +.Dq outgoing +packets, allowing it to operate on the +.Dq internal +network interface rather than the +.Dq external +one. .Pp This can be useful in some transparent proxying situations when outgoing traffic is redirected to the local machine @@ -437,7 +466,7 @@ The range will be cleared for all rules on startup. .El .Sh RUNNING NATD The following steps are necessary before attempting to run -.Nm natd : +.Nm No : .Bl -enum .It Build a custom kernel with the following options: @@ -464,14 +493,16 @@ file or using the command If you use the .Fl interface option, make sure that your interface is already configured. -If, for example, you wish to specify tun0 as your +If, for example, you wish to specify +.Ql tun0 +as your .Ar interface , and you are using .Xr ppp 8 on that interface, you must make sure that you start .Nm ppp prior to starting -.Nm natd . +.Nm No . .El .Pp Running @@ -488,7 +519,7 @@ on how to configure it to be started automatically during boot. Once .Nm is running, you must ensure that traffic is diverted to -.Nm natd : +.Nm No : .Bl -enum .It You will need to adjust the @@ -502,7 +533,9 @@ following lines will do: /sbin/ipfw add pass all from any to any .Ed .Pp -The second line depends on your interface (change ed0 as appropriate). +The second line depends on your interface (change +.Ql ed0 +as appropriate). .Pp You should be aware of the fact that, with these firewall settings, everyone on your local network can fake his source-address using your @@ -517,7 +550,7 @@ the start of the script so that sees all packets before they are dropped by the firewall. .Pp After translation by -.Nm natd , +.Nm No , packets re-enter the firewall at the rule number following the rule number that caused the diversion (not the next rule if there are several at the same number). @@ -564,3 +597,5 @@ times: (early PPTP support) .An Brian Somers Aq brian@awfulhak.org (glue) +.An Ruslan Ermilov Aq ru@FreeBSD.org +(natd, packet aliasing, glue) |