> Can anyone point me in a direction of a resource comparing
>the Linux Masq feature and the BSD implementation of NAT? I'm
>looking at making a FreeBSD or BSDI system run a similar connection
>to my Debian Linux box running >masq for my home lan to the net
>via dialup.
This is a response I got from a *BSD buddy of mine:
--
Date: Sun, 20 Dec 1998 06:27:04 -0800 (PST)
Here's what I can tell you. Of course, it only pertains specifically
to NetBSD; the others (FreeBSD, OpenBSD, BSDI/OS) are probably similar,
but no promises here!
1. NetBSD uses ipfilter/ipnat. The specification syntax allows one to
specify the, for packets that are going to be routed out of a
particular interface, any IP address that matches a given range is
remapped to some other address in a given range. For TCP and UDP,
you can also specify the range of ports that will be used for the
remapped address. An example configuration might be:
map ppp0 10.0.0.0/8 -> 209.215.191/24 tcp/udp 20000:29999
which will remap packets outbound on ppp0 (presumably, you have a
default route to your ISP!). Packets from source address in the
network 10 range will be mapped to some arbitrary address in the
assigned network. And for TCP or UDP, a random port in the range
from 20000 to 29999 will be chosen.
You could easily say
map ppp0 1.2.3.4/32 -> 10.0.0.0/8
but I don't think that this is what you really want. This would
pick some arbitrary IP address from network 10 for the remap, but
would remap _all_ connections from the input address to the same
output address.
2. ipfilter/ipnat has additional capabilities for dealing with in-
bound connections. These are called redirects. They are configured
like this:
rdr ppp0 0.0.0.0/0 port ftp -> 127.0.0.1/0 port ftp
which basically says to redirect _any_ incoming packets for the
ftp port to the local host. So, you could redirect different ports
and services to different internal hosts, but you don't get to do
anything like load balancing.
3. There are also features built in for proxying (which, if I understand
it correctly, is much more akin to Linux's masquerading), but they
aren't very well documented.
4. One thing ipfilter/ipnat does not do is "understand wierd protocols".
It does not ever ever ever look at the contents of packets in a
protocol-specific manner. In fact, you can't even filter based on
anything past the ICMP/TCP/UDP header.
If you'd like, I can ship you the ipfilter/ipnat man pages and/or
example configuration files.
.----------------------------------------------------------------------------.
| David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] |
!---- ----!
`----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
