A Network Address Translation Daemon for FreeBSD


1. WHAT IS NATD ?

	This is a simple daemon based on FreeBSD divert sockets
	which performs network address translation (or masquerading)
	for IP packets (see related RFCs 1631 and 1918).
	It is based on packet aliasing package (see README.alias)
	written by Charles Mott (cmott@scientech.com).

	This package works with any network interface (doesn't have
	to be ppp). I run it on a computer having two ethernet cards,
	one connected to internet and the other one to local network.

	This new version of natd has been completly rewritten.

2. GETTING IT RUNNING

	1) get the modified libalias from:
		http://diehard.n-r-g.com/natd/libalias.tgz
	2) untar libalias so that the directories natd and libalias reside
	   in the same directory.
	3) build libalias (cd ../libalias && make)
	4) Compile this software by executing "make".

3. USAGE

	usage: natd [-diIlLrRsSuUv] [-p base:count] [-f file]
	    -d          daemon mode
	    -i (-I)     allow (deny) incomming connetcions
	    -l (-L)     enable (disable) logging to /var/log/alias.log
	    -o          print expanded rule set after parsing and exit
	    -r (-R)     reset (don't reset) on address change
	    -s (-S)     use (don't use) same ports
	    -v          verbose, specify more then once for more verbosity
	    -p base:num punch firewall from base to base + num
	    -f file     read configuration from file

4. RULE FILE SYNTAX

	Syntax for rules in BNF:

	rule = ( divert_rule | nat_rule | rdr_rule ) .

	divert_rule = "divert" port ( "internal" | 
		      "external" | "bidirect" ) [ "->" divert-name ] .

	nat_rule = [ "no" ] "nat" [ "on" divert-name ] "from" dynipspec 
		   "to" ipspec [ "->" aliasspec ] .

	rdr_rule = "rdr" [ "on" divert-name ] [ protospec ] "from" dynipspec
		   "to" dynipspec "->" aliasspec .

	protospec = "proto" (proto-name | proto-number | "{" proto-lit "}" ) .
	proto-list = ( proto-name | proto-number ) [ "," proto-list ] .

	ipspec = ( "any" | host | "{" host-list "}" ) [port] .

	dynipspec = "interface" if-name [port] | ipspec .

	aliasspec = address [port] | [ "balanced" ] "interface" if-name
		    [ port ] | "balanced" "{" host-list "}" [ port ] .

	host = address [ "/" number] .
	host-list = host [ "," host-list ] .

	port = "port" ( port-name | port-number | "{" port-list "}" ) .
	port-list = ( port-name | port-number ) [ "," port-list ] .


	Comments begin with the character `#' and continue until end of line;
	empty lines are ignored. The first matching rule is applied.  Rules
	prefixed with "no" lead to no translation.  Such rules can be used to
	exclude certain connections from being translated.
	To spread rules over multiple lines use '\' befor the newline.

5. NOTES & EXAMPLES

	1) at least one divert rule is needed
		divert port natd -> divert

	2) a simple nat rule 
		nat on divert from any to any -> interface fxp0

	3) a simple rdr rule
		rdr on divert from any to interface fxp0 port www \
			-> 10.0.1.2 port www

	4) don't forget to set getway_enable = YES in /etc/rc.conf
	



	Happy Networking - comments and fixes are welcome!

	Claudio Jeker (cjeker@diehard.n-r-g.com)