I am sure they are but perhaps I have trouble learning such things
that way. I have often learned technical things by examples and
tampering with existing things. Without the above mentioned docs I
would not have gotten as far as I did but I only got far enough to get
the Solaris components working with a 1 rule setup. If anyone has a
setup for Solaris that functions as a NAT router I would love to have
it.
Apropos man pages, if you plan on doing anything serious with UNIX, I highly
recommend that you get used to the man page format. There is a pattern in
man pages, which, once identified, becomes very easy to follow. It allows
for lightning-fast absorbtion of the material.
Also, the man pages do contain quite a bit of examples.
Note to Darren: even more examples would be good. The more, the better.
One's software is only as good as one's documentation.
Apropos NAT rules, perhaps someone here feels adventurous to post their
ruleset. I personally consider that to be an extremely high security risk,
as in just asking for trouble.
You do seem to have persisted and not given up; I respect that.
Perhaps these rather banal examples will help you:
I'll use the 10.x.x.x network range as an example -- it's one of the most
common and easy to follow. Large corporations usually use 10.x.x.x ranges
for their internal LAN(s).
I'll also make up a Solaris nework interface, for example, we'll define bge0
to be the external "Internet" interface. You'll only need one interface to
configure NAT.
NAT is normally defined as many-to-one (many IPs are NATted to one IP
address), or many-to-many (a range of internal IPs is mapped to a range of
external IP addresses).
So:
to NAT (in IPF lingo "map") internal IP addresses from the LAN above to a
single external IP address:
/etc/opt/ipf/ipnat.conf:
#
# Make FTP inside ---> outside work
# (common issue, as per IPFilter FAQ).
#
map bge0 10.0.0.0/8 -> 0/32 proxy port ftp ftp/tcp
#
# NAT 10.x.x.x to the external IP address.
# 0/32 is special notation to IPFilter, meaning
# "NAT both TCP and UDP to whichever IP address
# the bge0 interface is set to".
#
map bge0 10.0.0.0/8 -> 0/32 portmap tcp/udp auto
One of the things that makes IPFilter simply phenomenal is the ability to
proxy connections. This functionality is called "redirect" in IPFilter
lingo. For example:
/etc/opt/ipf/ipnat.conf:
#
# a.b.c.d/16 is the external IP address in CIDR notation,
# e.f.g.h is an IP address on the DMZ.
#
rdr bge0 a.b.c.d/16 port 7777 -> e.f.g.h port 7777 udp
I hope these examples will help you. Don't forget that for most of the rules
in ipnat.conf, one also needs a corresponding rule in ipf.conf that would
allow the traffic to that IP address. At least that's been my experience.
Don't give up.
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now!
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
