IPFW+natd & Cisco VPN tunnelling....
Chuck Swiger
cswiger at mac.com
Fri Jul 15 18:18:58 GMT 2005
Hi, all--
I'm working on a new firewall running FreeBSD-5.4, IPFW, and natd for a small
client network of about 50 boxes, using a single routable IP via a T1 link.
They want to set up a Cisco 87x router as a VPN endpoint, my part is to set up
forwarding of the VPN traffic via the firewall to this cisco. The firewall box
is a Dell 2850 with dual Intel em NICs.
Since I'm waiting for someone else to get that box up, I decided to check here
whether my config is sane. I'm using a normal divert rule to forward traffic
to natd, which is working fine, and have this as /etc/natd.conf:
# NATD configuration options
dynamic yes
interface em1
#log yes
log_denied yes
use_sockets yes
same_ports yes
unregistered_only yes
redirect_port tcp 192.168.1.2:www www
redirect_proto gre ciscovpn
redirect_port udp ciscovpn:500 500
redirect_port tcp ciscovpn:10000 10000
redirect_port tcp ciscovpn:pptp pptp
...where ciscovpn is obviously the hostname for the Cisco 870 box.
Is there any way to convince natd to re-read the natd.conf file short of
killing and restarting the daemon entirely? The manpage didn't say so, and
"kill -HUP" terminates the process.
--
-Chuck
PS: It seems unfortunate that not including a natd_interface statement in
rc.conf causes /etc/rc.firewall to not include a divert rule, but that can be
corrected by using your own rules in a file and setting firewall_type.
More information about the freebsd-questions
mailing list