Quick and Dirty FreeBSD NATd Guide (updated February 11, 2024) This document should help you create a NAT setup with FreeBSD's natd, which is secure from outside intrusion. A firewall secure from un- trusted users behind your natd will require measures beyond the intended scope of this document. In your kernel config: # Required for NATd to function options IPFIREWALL options IPDIVERT In your /etc/rc.conf: gateway_enable="YES" firewall_enable="YES" firewall_type="OPEN" natd_enable="YES" natd_flags="-f /etc/natd.conf" natd_interface="em0" # Use your public-side interface here. # (The interface with the actual public IP # address - which, for example, is probably tun0 # if you're using PPPoE.) In your /etc/natd.conf: # NATd Options use_sockets # These first two options should be default same_ports # settings, but they're not. I don't understand # why. I can't come up with a single scenario # in which you'd not want them set. interface em0 # Again, use your public side interface here. # Yes, in *BOTH* places. dynamic # Only if your public IP might change (DHCP). unregistered_only # Keeps people on your public side network from # routing into your private network. natd(8) is # pretty sketchy on this, but if you do not have # this set, someone on your public side network # can set a network route for your private side # network with your public side IP address as the # destination and route traffic to hosts inside. # Port mapping syntax: redirect_port (tcp|udp) : # or redirect_port ccc w.x.y.z:B A # Where packets of protocol ccc received on port A of your public address # are re-directed to port B on the specified internal IP of w.x.y.z. # And provided as an additional natd.conf example: ## Microsoft DirectPlay Port Mappings redirect_port tcp 192.168.200.5:47624 47624 redirect_port udp 192.168.200.5:47624 47624 redirect_port tcp 192.168.200.5:2300-2400 2300-2400 redirect_port udp 192.168.200.5:2300-2400 2300-2400 redirect_port udp 192.168.200.5:28800-28900 28800-28900 Notes on restarting natd: To modify your natd configuration, say to add/change port mappings, you edit your /etc/natd.conf file as needed, then you can run this to restart it (at least in v7.3 & up).: service natd restart In versions 5.3 through 7.2.: /etc/rc.d/natd restart In v4.x and earlier unfortunately, there's no rc.d scripts to do this, plus natd does not respond to a HUP signal properly, so in order to effect changes to the configuration, I recommend writing a small script like this: #!/bin/sh kill -9 $(cat /var/run/natd.pid) && /sbin/natd -f /etc/natd.conf I call my script /usr/sbin/restartnatd and chmod it 555. This script kills and restarts natd very quickly, but since while natd is dead, all traffic stops, sometimes connections may drop. This why the double '&&' is required. It waits on the successful killing of natd, then launches the new one, even if your ssh session to the machine drops. - Direct comments and feedback to crtxreavr at trioptimum dawt com.