docs/64807: Handbook section on NAT incomplete
Marc Fonvieille
blackend at FreeBSD.org
Sat Mar 27 17:40:18 UTC 2004
The following reply was made to PR docs/64807; it has been noted by GNATS.
From: Marc Fonvieille <blackend at FreeBSD.org>
To: Vlad Manilici <vman.SYMBOL.tmok.SYMBOL.com at FreeBSD.org>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: docs/64807: Handbook section on NAT incomplete
Date: Sat, 27 Mar 2004 18:38:46 +0100
On Sat, Mar 27, 2004 at 08:33:43AM -0800, Vlad Manilici wrote:
>
> >Description:
> The Handbook section on NAT:
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html
> does not contain sufficient information to configure NAT on FreeBSD.
>
> More specific:
> 1. the suggested firewall configuration ("OPEN") does not contain any
> redirection rule. Probably, the intention was "OpenClient".
> 2. it should be mentioned that NAT does not work with statefull rules.
> 3. NAT configuration with an "open" firewall is not enough in today's
> Internet. A set of rules that mixes NAT with filtering should be
> explained. Combining the two raises some problems not seen in any
> independently, and should definitely be explained.
>
> Here is a working set of rules for NAT and some meaningful packet
> filtering (of course, one could do better). The external interface
> is "xl0", and the internal one "rl0". The internal network is
> 10.0.0/24.
>
[...]
You are talking about packet filtering not only NAT, the aim of the
mentioned section is to only cover NAT (natd(8)) not the configuration
of a firewall (it's why the OPEN type was used).
All examples are done with that point of view.
If someone wants to add packet filtering the read of
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html
and /etc/rc.firewall will be enough since rc.firewall contains good
example. (Changing the OPEN type to SIMPLE or CLIENT does the trick)
Marc
More information about the freebsd-doc
mailing list