Site Navigation

FreeBSD Manual Pages

   man apropos
 
   All Sections 1 - General Commands 2 - System Calls 3 - Subroutines 4 - Special Files 5 - File Formats 6 - Games 7 - Macros and Conventions 8 - Maintenance Commands 9 - Kernel Interface n - New Commands FreeBSD 16.0-CURRENT FreeBSD 15.0-RELEASE FreeBSD 15.0-RELEASE and Ports FreeBSD 15.0-RELEASE and Ports.quarterly FreeBSD 15.0-STABLE FreeBSD 14.4-RELEASE and Ports FreeBSD 14.4-STABLE FreeBSD 14.3-RELEASE FreeBSD 14.3-RELEASE and Ports FreeBSD 14.2-RELEASE FreeBSD 14.2-RELEASE and Ports FreeBSD 14.1-RELEASE FreeBSD 14.1-RELEASE and Ports FreeBSD 14.0-RELEASE FreeBSD 14.0-RELEASE and Ports FreeBSD 13.5-RELEASE FreeBSD 13.5-RELEASE and Ports FreeBSD 13.5-STABLE FreeBSD 13.4-RELEASE FreeBSD 13.4-RELEASE and Ports FreeBSD 13.3-RELEASE FreeBSD 13.3-RELEASE and Ports FreeBSD 13.2-RELEASE FreeBSD 13.2-RELEASE and Ports FreeBSD 13.1-RELEASE FreeBSD 13.1-RELEASE and Ports FreeBSD 13.0-RELEASE FreeBSD 13.0-RELEASE and Ports FreeBSD 12.4-RELEASE FreeBSD 12.4-RELEASE and Ports FreeBSD 12.3-RELEASE FreeBSD 12.3-RELEASE and Ports FreeBSD 12.2-RELEASE FreeBSD 12.2-RELEASE and Ports FreeBSD 12.1-RELEASE FreeBSD 12.1-RELEASE and Ports FreeBSD 12.0-RELEASE FreeBSD 12.0-RELEASE and Ports FreeBSD 11.4-RELEASE FreeBSD 11.4-RELEASE and Ports FreeBSD 11.3-RELEASE FreeBSD 11.3-RELEASE and Ports FreeBSD 11.2-RELEASE FreeBSD 11.2-RELEASE and Ports FreeBSD 11.1-RELEASE FreeBSD 11.1-RELEASE and Ports FreeBSD 11.0-RELEASE FreeBSD 11.0-RELEASE and Ports FreeBSD 10.4-RELEASE FreeBSD 10.4-RELEASE and Ports FreeBSD 10.3-RELEASE FreeBSD 10.3-RELEASE and Ports FreeBSD 10.2-RELEASE FreeBSD 10.2-RELEASE and Ports FreeBSD 10.1-RELEASE FreeBSD 10.1-RELEASE and Ports FreeBSD 10.0-RELEASE FreeBSD 10.0-RELEASE and Ports FreeBSD 9.3-RELEASE FreeBSD 9.3-RELEASE and Ports FreeBSD 9.2-RELEASE FreeBSD 9.2-RELEASE and Ports FreeBSD 9.1-RELEASE FreeBSD 9.1-RELEASE and Ports FreeBSD 9.0-RELEASE FreeBSD 9.0-RELEASE and Ports FreeBSD 8.4-RELEASE FreeBSD 8.4-RELEASE and Ports FreeBSD 8.3-RELEASE FreeBSD 8.3-RELEASE and Ports FreeBSD 8.2-RELEASE FreeBSD 8.2-RELEASE and Ports FreeBSD 8.1-RELEASE FreeBSD 8.1-RELEASE and Ports FreeBSD 8.0-RELEASE FreeBSD 8.0-RELEASE and Ports FreeBSD 7.4-RELEASE FreeBSD 7.4-RELEASE and Ports FreeBSD 7.3-RELEASE FreeBSD 7.3-RELEASE and Ports FreeBSD 7.2-RELEASE FreeBSD 7.2-RELEASE and Ports FreeBSD 7.1-RELEASE FreeBSD 7.1-RELEASE and Ports FreeBSD 7.0-RELEASE FreeBSD 6.4-RELEASE FreeBSD 6.4-RELEASE and Ports FreeBSD 6.3-RELEASE FreeBSD 6.3-RELEASE and Ports FreeBSD 6.2-RELEASE FreeBSD 6.1-RELEASE FreeBSD 6.0-RELEASE FreeBSD 6.0-RELEASE and Ports FreeBSD 5.5-RELEASE FreeBSD 5.5-RELEASE and Ports FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE and Ports FreeBSD 5.3-RELEASE FreeBSD 5.3-RELEASE and Ports FreeBSD 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE and Ports FreeBSD 5.2-RELEASE FreeBSD 5.2-RELEASE and Ports FreeBSD 5.1-RELEASE FreeBSD 5.0-RELEASE FreeBSD 4.11-RELEASE FreeBSD 4.11-RELEASE and Ports FreeBSD 4.10-RELEASE FreeBSD 4.10-RELEASE and Ports FreeBSD 4.9-RELEASE FreeBSD 4.9-RELEASE and Ports FreeBSD 4.8-RELEASE FreeBSD 4.8-RELEASE and Ports FreeBSD 4.7-RELEASE FreeBSD 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE and Ports FreeBSD 4.6-RELEASE FreeBSD 4.6-RELEASE and Ports FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE and Ports FreeBSD 4.4-RELEASE FreeBSD 4.3-RELEASE FreeBSD 4.3-RELEASE and Ports FreeBSD 4.2-RELEASE FreeBSD 4.2-RELEASE and Ports FreeBSD 4.1.1-RELEASE FreeBSD 4.1.1-RELEASE and Ports FreeBSD 4.1-RELEASE FreeBSD 4.0-RELEASE FreeBSD 3.5.1-RELEASE FreeBSD 3.5.1-RELEASE and Ports FreeBSD 3.5-RELEASE and Ports FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE and Ports FreeBSD 3.3-RELEASE FreeBSD 3.2-RELEASE FreeBSD 3.1-RELEASE FreeBSD 3.0-RELEASE FreeBSD 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE and Ports FreeBSD 2.2.7-RELEASE FreeBSD 2.2.6-RELEASE FreeBSD 2.2.5-RELEASE FreeBSD 2.2.2-RELEASE FreeBSD 2.2.1-RELEASE FreeBSD 2.1.7.1-RELEASE FreeBSD 2.1.6.1-RELEASE FreeBSD 2.1.5-RELEASE FreeBSD 2.1.0-RELEASE FreeBSD 2.0.5-RELEASE FreeBSD 2.0-RELEASE FreeBSD 1.1.5.1-RELEASE FreeBSD 1.1-RELEASE FreeBSD 1.0-RELEASE FreeBSD Ports 15.0 FreeBSD Ports 15.0.quarterly FreeBSD Ports 14.4 FreeBSD Ports 14.3 FreeBSD Ports 14.2 FreeBSD Ports 14.1 FreeBSD Ports 14.0 FreeBSD Ports 13.5 FreeBSD Ports 13.4 FreeBSD Ports 13.3 FreeBSD Ports 13.2 FreeBSD Ports 13.1 FreeBSD Ports 13.0 FreeBSD Ports 12.4 FreeBSD Ports 12.3 FreeBSD Ports 12.2 FreeBSD Ports 12.1 FreeBSD Ports 12.0 FreeBSD Ports 11.4 FreeBSD Ports 11.3 FreeBSD Ports 11.2 FreeBSD Ports 11.1 FreeBSD Ports 11.0 FreeBSD Ports 10.4 FreeBSD Ports 10.3 FreeBSD Ports 10.2 FreeBSD Ports 10.1 FreeBSD Ports 10.0 FreeBSD Ports 9.3 FreeBSD Ports 9.2 FreeBSD Ports 9.1 FreeBSD Ports 9.0 FreeBSD Ports 8.4 FreeBSD Ports 8.3 FreeBSD Ports 8.2 FreeBSD Ports 8.1 FreeBSD Ports 8.0 FreeBSD Ports 7.4 FreeBSD Ports 7.3 FreeBSD Ports 7.2 FreeBSD Ports 7.1 FreeBSD Ports 7.0 FreeBSD Ports 6.4 FreeBSD Ports 6.3 FreeBSD Ports 6.2 FreeBSD Ports 6.0 FreeBSD Ports 5.5 FreeBSD Ports 5.4 FreeBSD Ports 5.3 FreeBSD Ports 5.2.1 FreeBSD Ports 5.2 FreeBSD Ports 5.1 FreeBSD Ports 4.11 FreeBSD Ports 4.10 FreeBSD Ports 4.9 FreeBSD Ports 4.8 FreeBSD Ports 4.7 FreeBSD Ports 4.6.2 FreeBSD Ports 4.6 FreeBSD Ports 4.5 FreeBSD Ports 4.3 FreeBSD Ports 4.2 FreeBSD Ports 4.1.1 FreeBSD Ports 3.5.1 FreeBSD Ports 3.5 FreeBSD Ports 3.4 FreeBSD Ports 2.2.8 4.4BSD Lite2 4.3BSD NET/2 4.3BSD Reno 2.11 BSD 2.10 BSD 2.9.1 BSD 2.8 BSD 386BSD 0.1 386BSD 0.0 CentOS 7.9 CentOS 7.8 CentOS 7.7 CentOS 7.6 CentOS 7.5 CentOS 7.4 CentOS 7.3 CentOS 7.2 CentOS 7.1 CentOS 7.0 CentOS 6.10 CentOS 6.9 CentOS 6.8 CentOS 6.7 CentOS 6.6 CentOS 6.5 CentOS 6.4 CentOS 6.3 CentOS 6.2 CentOS 6.1 CentOS 6.0 CentOS 5.11 CentOS 5.10 CentOS 5.9 CentOS 5.8 CentOS 5.7 CentOS 5.6 CentOS 5.5 CentOS 5.4 CentOS 4.8 CentOS 3.9 Darwin 8.0.1/ppc Darwin 7.0.1 Darwin 6.0.2/x86 Darwin 1.4.1/x86 Darwin 1.3.1/x86 Debian 14.0 unstable Debian 13.4.0 Debian 12.13.0 Debian 11.11.0 Debian 10.13.0 Debian 9.13.0 Debian 8.11.1 Debian 7.11.0 Debian 6.0.10 Debian 5.0.10 Debian 4.0.9 Debian 3.1.8 Debian 2.2.7 Debian 2.0.0 Dell UNIX SVR4 2.2 DragonFly 6.4.2 DragonFly 5.8.3 DragonFly 4.8.1 DragonFly 3.8.2 DragonFly 2.10.1 DragonFly 1.12.1 DragonFly 1.0A HP-UX 11.22 HP-UX 11.20 HP-UX 11.11 HP-UX 11.00 HP-UX 10.20 HP-UX 10.10 HP-UX 10.01 HP-UX 9.07 HP-UX 8.07 Inferno 4th Edition IRIX 6.5.30 Linux Slackware 3.1 MACH 2.5/i386 macOS 26.4 macOS 15.7.5 macOS 14.8.5 macOS 13.6.5 macOS 12.7.3 macOS 11.1 macOS 10.15.7 macOS 10.13.6 macOS 10.12.0 Minix 3.3.0 Minix 3.2.1 Minix 3.2.0 Minix 3.1.7 Minix 3.1.6 Minix 3.1.5 Minix 2.0.0 NetBSD 10.1 NetBSD 10.0 NetBSD 9.4 NetBSD 9.3 NetBSD 9.2 NetBSD 9.1 NetBSD 9.0 NetBSD 8.3 NetBSD 8.2 NetBSD 8.1 NetBSD 8.0 NetBSD 7.2 NetBSD 7.1.2 NetBSD 7.1 NetBSD 7.0 NetBSD 6.1.5 NetBSD 6.0 NetBSD 5.2.3 NetBSD 5.2 NetBSD 5.1 NetBSD 5.0 NetBSD 4.0.1 NetBSD 4.0 NetBSD 3.1 NetBSD 3.0 NetBSD 2.1 NetBSD 2.0.2 NetBSD 2.0 NetBSD 1.6.2 NetBSD 1.6.1 NetBSD 1.6 NetBSD 1.5.3 NetBSD 1.5.2 NetBSD 1.5.1 NetBSD 1.5 NetBSD 1.4.3 NetBSD 1.4.2 NetBSD 1.4.1 NetBSD 1.4 NetBSD 1.3.3 NetBSD 1.3.2 NetBSD 1.3.1 NetBSD 1.3 NetBSD 1.2.1 NetBSD 1.2 NetBSD 1.1 NetBSD 1.0 NeXTSTEP 3.3 OpenBSD 7.8 OpenBSD 7.7 OpenBSD 7.6 OpenBSD 7.5 OpenBSD 7.4 OpenBSD 7.3 OpenBSD 7.2 OpenBSD 7.1 OpenBSD 7.0 OpenBSD 6.9 OpenBSD 6.8 OpenBSD 6.7 OpenBSD 6.6 OpenBSD 6.5 OpenBSD 6.4 OpenBSD 6.3 OpenBSD 6.2 OpenBSD 6.1 OpenBSD 6.0 OpenBSD 5.9 OpenBSD 5.8 OpenBSD 5.7 OpenBSD 5.6 OpenBSD 5.5 OpenBSD 5.4 OpenBSD 5.3 OpenBSD 5.2 OpenBSD 5.1 OpenBSD 5.0 OpenBSD 4.9 OpenBSD 4.8 OpenBSD 4.7 OpenBSD 4.6 OpenBSD 4.5 OpenBSD 4.4 OpenBSD 4.3 OpenBSD 4.2 OpenBSD 4.1 OpenBSD 4.0 OpenBSD 3.9 OpenBSD 3.8 OpenBSD 3.7 OpenBSD 3.6 OpenBSD 3.5 OpenBSD 3.4 OpenBSD 3.3 OpenBSD 3.2 OpenBSD 3.1 OpenBSD 3.0 OpenBSD 2.9 OpenBSD 2.8 OpenBSD 2.7 OpenBSD 2.6 OpenBSD 2.5 OpenBSD 2.4 OpenBSD 2.3 OpenBSD 2.2 OpenBSD 2.1 OpenBSD 2.0 OpenDarwin 7.2.1 OpenDarwin 6.6.2/x86 OpenDarwin 6.6.1/x86 OpenDarwin 20030208pre4/ppc OpenIndiana 2025.10 OpenIndiana 2024.10 OpenIndiana 2022.10 OpenIndiana 2020.10 OpenIndiana 2017.10 OpenIndiana 2015.10 OpenIndiana 2013.08 OpenSolaris 2010.03 OpenSolaris 2009.06 OpenStep 4.2 openSUSE 42.3 openSUSE 42.2 openSUSE 42.1 openSUSE 16.0 openSUSE 15.6 openSUSE 15.5 openSUSE 15.4 openSUSE 15.3 openSUSE 15.2 openSUSE 15.1 openSUSE 15.0 openSUSE 13.2 openSUSE 13.1 openSUSE 11.4 openSUSE 11.3 openSUSE 11.2 openSUSE 10.3 openSUSE 10.2 OSF1 V5.1/alpha OSF1 V4.0/alpha OSF1 V1.0/mips Plan 9 Red Hat 9.0 Red Hat 8.0 Red Hat 7.3 Red Hat 7.2 Red Hat 7.1 Red Hat 7.0 Red Hat 6.2 Red Hat 6.1 Red Hat 5.2 Red Hat 5.0 Red Hat 4.2 Rhapsody DR1 Rhapsody DR2 Rocky 10.1 Rocky 10.0 Rocky 9.7 Rocky 9.6 Rocky 9.5 Rocky 9.4 Rocky 9.3 Rocky 9.2 Rocky 9.1 Rocky 9.0 Rocky 8.10 Rocky 8.9 Rocky 8.8 Rocky 8.7 Rocky 8.6 Rocky 8.5 Rocky 8.4 Rocky 8.3 Sun UNIX 0.4 SunOS 5.10 SunOS 5.9 SunOS 5.8 SunOS 5.7 SunOS 5.6 SunOS 5.5.1 SunOS 4.1.3 SuSE 11.3 SuSE 11.2 SuSE 11.1 SuSE 11.0 SuSE 10.3 SuSE 10.2 SuSE 10.1 SuSE 10.0 SuSE 9.3 SuSE 9.2 SuSE 8.2 SuSE 8.1 SuSE 8.0 SuSE 7.3 SuSE 7.2 SuSE 7.1 SuSE 7.0 SuSE 6.4 SuSE 6.3 SuSE 6.1 SuSE 6.0 SuSE 5.3 SuSE 5.2 SuSE 5.0 SuSE 4.3 SuSE ES 10 SP1 Ubuntu 24.04 noble Ubuntu 23.10 mantic Ubuntu 22.04 jammy Ubuntu 20.04 focal Ubuntu 18.04 bionic Ubuntu 16.04 xenial Ubuntu 14.04 trusty ULTRIX 4.2 Ultrix-32 2.0/VAX Unix Seventh Edition X11R7.4 X11R7.3.2 X11R7.2 X11R6.9.0 X11R6.8.2 X11R6.7.0 XFree86 4.8.0 XFree86 4.7.0 XFree86 4.6.0 XFree86 4.5.0 XFree86 4.4.0 XFree86 4.3.0 XFree86 4.2.99.3 XFree86 4.2.0 XFree86 4.1.0 XFree86 4.0.2 XFree86 4.0.1 XFree86 4.0 XFree86 3.3.6 XFree86 3.3 XFree86 2.1 html pdf ascii

home | help

---

NATD(8)			    System Manager's Manual		       NATD(8)

NAME
       natd -- Network Address Translation daemon

SYNOPSIS
       natd  [-unregistered_only  |  -u]  [-log	| -l] [-proxy_only] [-reverse]
	    [-deny_incoming | -d]  [-use_sockets  |  -s]  [-same_ports	|  -m]
	    [-verbose	 |    -v]    [-dynamic]	   [-in_port	|   -i	 port]
	    [-out_port	  |	-o     port]	 [-port	    |	  -p	 port]
	    [-alias_address  |	-a  address]  [-target_address	|  -t address]
	    [-interface	   |	-n    interface]    [-proxy_rule    proxyspec]
	    [-redirect_port	 linkspec]	[-redirect_proto     linkspec]
	    [-redirect_address	 linkspec]   [-config	|    -f	   configfile]
	    [-log_denied]	      [-log_facility		facility_name]
	    [-punch_fw firewall_range] [-skinny_port port]  [-log_ipfw_denied]
	    [-pid_file | -P pidfile]

DESCRIPTION
       The  natd  utility  provides a Network Address Translation facility for
       use with	divert(4) sockets under	FreeBSD.

       (If you need NAT	on a PPP link, ppp(8) provides the  -nat  option  that
       gives most of the natd functionality, and uses the same libalias(3) li-
       brary.)

       The  natd  utility  normally runs in the	background as a	daemon.	 It is
       passed raw IP packets as	they travel into and out of the	 machine,  and
       will  possibly  change  these before re-injecting them back into	the IP
       packet stream.

       It changes all packets destined for another host	so that	 their	source
       IP  address is that of the current machine.  For	each packet changed in
       this manner, an internal	table entry is created to  record  this	 fact.
       The  source port	number is also changed to indicate the table entry ap-
       plying to the packet.  Packets that are received	with a	target	IP  of
       the  current host are checked against this internal table.  If an entry
       is found, it is used to determine the correct  target  IP  address  and
       port to place in	the packet.

       The following command line options are available:

       -log | -l   Log various aliasing	statistics and information to the file
		   /var/log/alias.log.	 This file is truncated	each time natd
		   is started.

       -deny_incoming |	-d
		   Do not pass incoming	packets	that have no entry in the  in-
		   ternal translation table.

		   If  this option is not used,	then such a packet will	be al-
		   tered using the rules in -target_address below, and the en-
		   try will be made in the internal translation	table.

       -log_denied
		   Log	denied	incoming  packets  via	syslog(3)  (see	  also
		   -log_facility).

       -log_facility facility_name
		   Use	specified  log	facility  when logging information via
		   syslog(3).  Argument	facility_name is one of	 the  keywords
		   specified in	syslog.conf(5).

       -use_sockets | -s
		   Allocate  a	socket(2) in order to establish	an FTP data or
		   IRC DCC send	connection.  This option uses more system  re-
		   sources,  but  guarantees  successful connections when port
		   numbers conflict.

       -same_ports | -m
		   Try to keep the same	port  number  when  altering  outgoing
		   packets.  With this option, protocols such as RPC will have
		   a better chance of working.	If it is not possible to main-
		   tain	 the  port  number, it will be silently	changed	as per
		   normal.

       -verbose	| -v
		   Do not call daemon(3) on startup.  Instead,	stay  attached
		   to  the  controlling	terminal and display all packet	alter-
		   ations to the standard output.  This	option should only  be
		   used	for debugging purposes.

       -unregistered_only | -u
		   Only	alter outgoing packets with an unregistered source ad-
		   dress.   According  to  RFC	1918,  unregistered source ad-
		   dresses are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.

       -redirect_port	       proto	      targetIP:targetPORT[-targetPORT]
		   [aliasIP:]aliasPORT[-aliasPORT]
		   [remoteIP[:remotePORT[-remotePORT]]]
		   Redirect  incoming connections arriving to given port(s) to
		   another host	and port(s).  Argument proto is	either tcp  or
		   udp,	 targetIP is the desired target	IP address, targetPORT
		   is the desired target port number or	 range,	 aliasPORT  is
		   the	requested  port	 number	 or  range, and	aliasIP	is the
		   aliasing address.  Arguments	remoteIP and remotePORT	can be
		   used	to specify the connection more	accurately  if	neces-
		   sary.   If remotePORT is not	specified, it is assumed to be
		   all ports.

		   Arguments targetIP, aliasIP and remoteIP can	be given as IP
		   addresses or	as hostnames.  The targetPORT,	aliasPORT  and
		   remotePORT  ranges  need  not  be the same numerically, but
		   must	have the same size.   When  targetPORT,	 aliasPORT  or
		   remotePORT specifies	a singular value (not a	range),	it can
		   be  given  as  a  service  name that	is searched for	in the
		   services(5) database.

		   For example,	the argument

			 tcp inside1:telnet 6666

		   means that incoming TCP packets destined for	port  6666  on
		   this	machine	will be	sent to	the telnet port	on the inside1
		   machine.

			 tcp inside2:2300-2399 3300-3399

		   will	 redirect  incoming  connections on ports 3300-3399 to
		   host	inside2, ports 2300-2399.  The mapping is 1:1  meaning
		   port	3300 maps to 2300, 3301	maps to	2301, etc.

       -redirect_proto proto localIP [publicIP [remoteIP]]
		   Redirect   incoming	IP  packets  of	 protocol  proto  (see
		   protocols(5)) destined for publicIP address	to  a  localIP
		   address and vice versa.

		   If publicIP is not specified, then the default aliasing ad-
		   dress is used.  If remoteIP is specified, then only packets
		   coming from/to remoteIP will	match the rule.

       -redirect_address localIP publicIP
		   Redirect  traffic for public	IP address to a	machine	on the
		   local network.  This	function is known as static NAT.  Nor-
		   mally static	NAT is useful if  your	ISP  has  allocated  a
		   small block of IP addresses to you, but it can even be used
		   in the case of single address:

			 redirect_address 10.0.0.8 0.0.0.0

		   The	above  command	would redirect all incoming traffic to
		   machine 10.0.0.8.

		   If several address aliases specify the same public  address
		   as follows

			 redirect_address 192.168.0.2 public_addr
			 redirect_address 192.168.0.3 public_addr
			 redirect_address 192.168.0.4 public_addr

		   the	incoming  traffic  will	be directed to the last	trans-
		   lated local address	(192.168.0.4),	but  outgoing  traffic
		   from	 the  first two	addresses will still be	aliased	to ap-
		   pear	from the specified public_addr.

       -redirect_port  proto   targetIP:targetPORT[,targetIP:targetPORT[,...]]
		   [aliasIP:]aliasPORT [remoteIP[:remotePORT]]

       -redirect_address localIP[,localIP[,...]] publicIP
		   These  forms	 of  -redirect_port  and -redirect_address are
		   used	to transparently offload  network  load	 on  a	single
		   server  and	distribute  the	load across a pool of servers.
		   This	function is known as LSNAT (RFC	2391).	 For  example,
		   the argument

			 tcp www1:http,www2:http,www3:http www:http

		   means  that	incoming  HTTP	requests  for host www will be
		   transparently redirected to one of the www1,	www2 or	 www3,
		   where  a  host  is  selected	simply on a round-robin	basis,
		   without regard to load on the net.

       -dynamic	   If the -n or	-interface option is used, natd	 will  monitor
		   the routing socket for alterations to the interface passed.
		   If the interface's IP address is changed, natd will dynami-
		   cally alter its concept of the alias	address.

       -in_port	| -i port
		   Read	 from  and  write to divert(4) port port, treating all
		   packets as "incoming".

       -out_port | -o port
		   Read	from and write to divert(4) port  port,	 treating  all
		   packets as "outgoing".

       -port | -p port
		   Read	 from and write	to divert(4) port port,	distinguishing
		   packets as "incoming" or "outgoing" using the rules	speci-
		   fied	 in divert(4).	If port	is not numeric,	it is searched
		   for in the services(5) database.  If	 this  option  is  not
		   specified, the divert port named natd will be used as a de-
		   fault.

       -alias_address |	-a address
		   Use	address	 as  the aliasing address.  Either this	or the
		   -interface option must be  used  (but  not  both),  if  the
		   -proxy_only option is not specified.	 The specified address
		   is usually the address assigned to the "public" network in-
		   terface.

		   All	data  passing  out will	be rewritten with a source ad-
		   dress equal to address.  All	data coming in will be checked
		   to see if it	matches	any already-aliased  outgoing  connec-
		   tion.   If  it does,	the packet is altered accordingly.  If
		   not,	   all	   -redirect_port,     -redirect_proto	   and
		   -redirect_address assignments are checked and actioned.  If
		   no  other  action  can be made and if -deny_incoming	is not
		   specified, the packet is delivered to the local machine us-
		   ing the rules specified in -target_address option below.

       -t | -target_address address
		   Set the target address.  When an incoming packet not	 asso-
		   ciated  with	 any pre-existing link arrives at the host ma-
		   chine, it will be sent to the specified address.

		   The target address may be set to 255.255.255.255, in	 which
		   case	 all  new incoming packets go to the alias address set
		   by -alias_address or	-interface.

		   If this option is not used, or  called  with	 the  argument
		   0.0.0.0,  then  all	new incoming packets go	to the address
		   specified in	the packet.  This allows external machines  to
		   talk	 directly to internal machines if they can route pack-
		   ets to the machine in question.

       -interface | -n interface
		   Use interface to determine the aliasing address.  If	 there
		   is  a  possibility  that  the  IP  address  associated with
		   interface may change, the -dynamic option  should  also  be
		   used.   If this option is not specified, the	-alias_address
		   option must be used.

		   The	specified  interface  is  usually  the	"public"   (or
		   "external") network interface.

       -config | -f file
		   Read	configuration from file.  A file should	contain	a list
		   of options, one per line, in	the same form as the long form
		   of the above	command	line options.  For example, the	line

			 alias_address 158.152.17.1

		   would  specify  an  alias address of	158.152.17.1.  Options
		   that	do not take an argument	are specified with an argument
		   of yes or no	in the configuration file.  For	 example,  the
		   line

			 log yes

		   is synonymous with -log.

		   Trailing  spaces  and  empty	lines are ignored.  A `#' sign
		   will	mark the rest of the line as a comment.

       -reverse	   This	 option	 makes	natd  reverse  the  way	  it   handles
		   "incoming"  and  "outgoing" packets,	allowing it to operate
		   on  the  "internal"	network	 interface  rather  than   the
		   "external" one.

		   This	 can be	useful in some transparent proxying situations
		   when	outgoing traffic is redirected to  the	local  machine
		   and	natd  is running on the	internal interface (it usually
		   runs	on the external	interface).

       -proxy_only
		   Force natd to perform transparent  proxying	only.	Normal
		   address translation is not performed.

       -proxy_rule  [type  encode_ip_hdr | encode_tcp_stream] port xxxx	server
		   a.b.c.d:yyyy
		   Enable transparent proxying.	 Outgoing TCP packets with the
		   given port going through this host to any  other  host  are
		   redirected  to  the given server and	port.  Optionally, the
		   original target address can be  encoded  into  the  packet.
		   Use	encode_ip_hdr  to put this information into the	IP op-
		   tion	field or encode_tcp_stream to inject the data into the
		   beginning of	the TCP	stream.

       -punch_fw basenumber:count
		   This	 option	 directs  natd	to   "punch   holes"   in   an
		   ipfirewall(4)  based	 firewall for FTP/IRC DCC connections.
		   This	is done	dynamically by installing  temporary  firewall
		   rules  which	 allow	a particular connection	(and only that
		   connection) to go through the firewall.  The	rules are  re-
		   moved once the corresponding	connection terminates.

		   A  maximum  of  count  rules	 starting from the rule	number
		   basenumber will be used for punching	firewall  holes.   The
		   range will be cleared for all rules on startup.

       -skinny_port port
		   This	option allows you to specify the TCP port used for the
		   Skinny Station protocol.  Skinny is used by Cisco IP	phones
		   to  communicate  with  Cisco	 Call Managers to set up voice
		   over	IP calls.  By default, Skinny  aliasing	 is  not  per-
		   formed.  The	typical	port value for Skinny is 2000.

       -log_ipfw_denied
		   Log	when a packet cannot be	re-injected because an ipfw(8)
		   rule	blocks it.  This is the	default	with -verbose.

       -pid_file | -P file
		   Specify an alternate	file in	which to store the process ID.
		   The default is /var/run/natd.pid.

RUNNING	NATD
       The following steps are necessary before	attempting to run natd:

       1.   Build a custom kernel with the following options:

		  options IPFIREWALL
		  options IPDIVERT

	    Refer to the handbook for detailed instructions on building	a cus-
	    tom	kernel.

       2.   Ensure that	your machine is	acting as a gateway.  This can be done
	    by specifying the line

		  gateway_enable=YES

	    in the /etc/rc.conf	file or	using the command

		  sysctl net.inet.ip.forwarding=1

       3.   If you use the -interface option, make sure	that your interface is
	    already configured.	 If, for example, you wish to  specify	`tun0'
	    as your interface, and you are using ppp(8)	on that	interface, you
	    must make sure that	you start ppp prior to starting	natd.

       Running natd is fairly straight forward.	 The line

	     natd -interface ed0

       should suffice in most cases (substituting the correct interface	name).
       Please  check rc.conf(5)	on how to configure it to be started automati-
       cally during boot.  Once	natd is	running, you must ensure that  traffic
       is diverted to natd:

       1.   You	 will need to adjust the /etc/rc.firewall script to taste.  If
	    you	are not	interested in having a firewall, the  following	 lines
	    will do:

		  /sbin/ipfw -f	flush
		  /sbin/ipfw add divert	natd all from any to any via ed0
		  /sbin/ipfw add pass all from any to any

	    The	 second	line depends on	your interface (change `ed0' as	appro-
	    priate).

	    You	should be aware	of the fact that,  with	 these	firewall  set-
	    tings,  everyone on	your local network can fake his	source-address
	    using your host as gateway.	 If there are other hosts on your  lo-
	    cal	 network, you are strongly encouraged to create	firewall rules
	    that only allow traffic to and from	trusted	hosts.

	    If you specify real	firewall rules,	it is best to specify  line  2
	    at	the  start  of the script so that natd sees all	packets	before
	    they are dropped by	the firewall.

	    After translation by natd, packets re-enter	the  firewall  at  the
	    rule  number  following  the rule number that caused the diversion
	    (not the next rule if there	are several at the same	number).

       2.   Enable your	firewall by setting

		  firewall_enable=YES

	    in /etc/rc.conf.  This tells the system startup scripts to run the
	    /etc/rc.firewall script.  If you do	not wish to reboot  now,  just
	    run	 this  by hand from the	console.  NEVER	run this from a	remote
	    session unless you put it into the background.   If	 you  do,  you
	    will  lock yourself	out after the flush takes place, and execution
	    of /etc/rc.firewall	will stop at this point	 -  blocking  all  ac-
	    cesses  permanently.   Running the script in the background	should
	    be enough to prevent this disaster.

SEE ALSO
       libalias(3),   divert(4),   protocols(5),   rc.conf(5),	  services(5),
       syslog.conf(5), ipfw(8),	ppp(8)

AUTHORS
       This  program  is the result of the efforts of many people at different
       times:

       Archie Cobbs <archie@FreeBSD.org> (divert sockets)
       Charles Mott <cm@linktel.net> (packet aliasing)
       Eivind Eklund <perhaps@yes.no> (IRC support & misc additions)
       Ari Suutari <suutari@iki.fi> (natd)
       Dru Nelson <dnelson@redwoodsoft.com> (early PPTP	support)
       Brian Somers <brian@awfulhak.org> (glue)
       Ruslan Ermilov <ru@FreeBSD.org> (natd, packet aliasing, glue)

FreeBSD	5.3		       February	28, 2003		       NATD(8)

---

NAME | SYNOPSIS | DESCRIPTION | RUNNING NATD | SEE ALSO | AUTHORS

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=natd&sektion=8&manpath=FreeBSD+5.3-RELEASE>

home | help

---

Legal Notices | © 1995-2026 The FreeBSD Project. All rights reserved.

Contact