Juergen Heberling wrote:
/etc/ipnat.rules contains:
map  em0 ->
.. snip ..

I tried your suggestion of using the cidr notation format and that work; thank you!

However I am concerned about overlapping mappings in the cidr range with host-to-host maps - my cidr range is a /28, for example, and I want to map (spoof) some IP address in the middle to, say the web or mail servers. In order to avoid the overlap I was counting on the "range" specification on the map command.

Well, my suggestion is not to exhaust your precious /28 address space right away. And don't make your life unnecessary difficult, why choose the addreses in the middle for bimap?

Rather than using all your external ip's right away I would save some for later expansion, and reserve one for debugging. You may need to connect a laptop on the external net to figure out what's going on. You could do this: x.x.x.0/29 to servers (bimap), x.x.x.8/30 debug and future expansion (not mapped), x.x.x.12/30 map for lan clients.

If you stick to cidr you can also write your filter rules in cidr making it far easier to read an maintain.

For the mapping, and bimapping consider this:

The /24 network you want to map, it contains at most 254 hosts. If you map that network to a single ip, then each host can establish at least 256 simultaneous connections. My experience is that this is far mor than needed in most normal operating environments. I'd suggest using the same ip as on the firewall external interface.

If the purpose of binatting is to make one service available, http say, then you may consider using rdr. IIRC you can also use rdr to round robin load balancing incoming connections.

That way you can have one host serving http and another serving smtp on the same external ip. The only reason to use different ip's is if you're hosting a number of https servers, each need a different ip.

There's no point in bimapping all ports on a external ip to one single internal ip if most of them are blocked by the filter.

Cheers, Erik
Ph: +34.666334818                                  web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID:  9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to