 |
 |
How to ipfw -NAT a single address?
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Oct 2004
Status:
Offline
|
|
The following enables NAT for all and it works:
ipfw add divert natd ip from any to any via en0
So if I want to NAT only one client / IP address you'd think this would do it:
ipfw add divert natd ip from 192.168.1.12 to any via en0
But it doesn't. What am I missing?
thanks in advance!
djava
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Oct 2000
Location: Seattle
Status:
Offline
|
|
Maybe you have conflicting rules. Is internet sharing on in the system prefs? Have you installed any other NAT front ends?
There is a way to list the rules to take a look at what's really going on.
this might be helpful:
http://www.ibiblio.org/macsupport/ipfw/
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Oct 2004
Status:
Offline
|
|
Thanks for the link and no, sharing is not on, there aren't any other NATs and no conflicting rules (minimal setup).
As indicated NAT _is_ working when I use
ipfw add divert natd ip from any to any via en0
But I don't want to allow everyone to have NAT just a individual client.
One way is to block a user with a previous rule like:
ipfw deny ip from 192.168.1.12 to any in
which solves my problem but is not an elegant solution, I would have prefered divert to be able to provide NAT for a single address.
thanks,
djava
|
|
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jun 1999
Location: Las Vegas, NV, USA
Status:
Offline
|
|
If that single user doesn't have to network with your other clients, then you could put them on different subnets and only share your internet connection with the one.
Chris
|
|
|
| |
|
|
|
|
|
|
|
Dedicated MacNNer
Join Date: Jul 2002
Location: Boston, MA
Status:
Offline
|
|
IMO it is easier to NAT/PAT all and use egress/ingress filtering to allow those you want to have access. It gets a little more interesting with L2L VPN provisioning and routing, but that is another story and another piece of infrastructure buildout completely.
I use Pix and Checkpoint alot and I found it easier to just allow the clients you want with an ACL/SPI policy in an egress format. So basically you have your inbound and outbound NAT/PAT setup all the time and just have to modify your ACL to allow or not allow firewall traversal. Sometimes you have to get a little gritty in a 60k+ node network, but it removes a layer of complexity.
Then again I don't have to NAT really and I do have to deal with filtering more instead in my environment.
|
|
|
| |
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: Oct 2004
Status:
Offline
|
|
Thanks for the info, but I need a natd/ipfw solution only as I need to programmatically add rules per ip adress to allow NAT access following authentication.
Currently a solution that works (albeit not consistently as sometimes the host box will lose internet access due to these rules that feeds back the packet into the rules) is to add these 2 rules:
ipfw add divert natd ip from any to [client ip] via en0
ipfw add divert natd ip from [client ip] to any via en0
thanks,
djava
|
|
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
Top
