Site Navigation

FreeBSD Manual Pages

   man apropos
 
   All Sections 1 - General Commands 2 - System Calls 3 - Subroutines 4 - Special Files 5 - File Formats 6 - Games 7 - Macros and Conventions 8 - Maintenance Commands 9 - Kernel Interface n - New Commands FreeBSD 15.0-CURRENT FreeBSD 14.3-RELEASE FreeBSD 14.3-RELEASE and Ports FreeBSD 14.3-STABLE FreeBSD 14.2-RELEASE FreeBSD 14.2-RELEASE and Ports FreeBSD 14.1-RELEASE FreeBSD 14.1-RELEASE and Ports FreeBSD 14.0-RELEASE FreeBSD 14.0-RELEASE and Ports FreeBSD 13.5-RELEASE FreeBSD 13.5-RELEASE and Ports FreeBSD 13.5-STABLE FreeBSD 13.4-RELEASE FreeBSD 13.4-RELEASE and Ports FreeBSD 13.3-RELEASE FreeBSD 13.3-RELEASE and Ports FreeBSD 13.2-RELEASE FreeBSD 13.2-RELEASE and Ports FreeBSD 13.1-RELEASE FreeBSD 13.1-RELEASE and Ports FreeBSD 13.0-RELEASE FreeBSD 13.0-RELEASE and Ports FreeBSD 12.4-RELEASE FreeBSD 12.4-RELEASE and Ports FreeBSD 12.3-RELEASE FreeBSD 12.3-RELEASE and Ports FreeBSD 12.2-RELEASE FreeBSD 12.2-RELEASE and Ports FreeBSD 12.1-RELEASE FreeBSD 12.1-RELEASE and Ports FreeBSD 12.0-RELEASE FreeBSD 12.0-RELEASE and Ports FreeBSD 11.4-RELEASE FreeBSD 11.4-RELEASE and Ports FreeBSD 11.3-RELEASE FreeBSD 11.3-RELEASE and Ports FreeBSD 11.2-RELEASE FreeBSD 11.2-RELEASE and Ports FreeBSD 11.1-RELEASE FreeBSD 11.1-RELEASE and Ports FreeBSD 11.0-RELEASE FreeBSD 11.0-RELEASE and Ports FreeBSD 10.4-RELEASE FreeBSD 10.4-RELEASE and Ports FreeBSD 10.3-RELEASE FreeBSD 10.3-RELEASE and Ports FreeBSD 10.2-RELEASE FreeBSD 10.2-RELEASE and Ports FreeBSD 10.1-RELEASE FreeBSD 10.1-RELEASE and Ports FreeBSD 10.0-RELEASE FreeBSD 10.0-RELEASE and Ports FreeBSD 9.3-RELEASE FreeBSD 9.3-RELEASE and Ports FreeBSD 9.2-RELEASE FreeBSD 9.2-RELEASE and Ports FreeBSD 9.1-RELEASE FreeBSD 9.1-RELEASE and Ports FreeBSD 9.0-RELEASE FreeBSD 9.0-RELEASE and Ports FreeBSD 8.4-RELEASE FreeBSD 8.4-RELEASE and Ports FreeBSD 8.3-RELEASE FreeBSD 8.3-RELEASE and Ports FreeBSD 8.2-RELEASE FreeBSD 8.2-RELEASE and Ports FreeBSD 8.1-RELEASE FreeBSD 8.1-RELEASE and Ports FreeBSD 8.0-RELEASE FreeBSD 8.0-RELEASE and Ports FreeBSD 7.4-RELEASE FreeBSD 7.4-RELEASE and Ports FreeBSD 7.3-RELEASE FreeBSD 7.3-RELEASE and Ports FreeBSD 7.2-RELEASE FreeBSD 7.2-RELEASE and Ports FreeBSD 7.1-RELEASE FreeBSD 7.1-RELEASE and Ports FreeBSD 7.0-RELEASE FreeBSD 6.4-RELEASE FreeBSD 6.4-RELEASE and Ports FreeBSD 6.3-RELEASE FreeBSD 6.3-RELEASE and Ports FreeBSD 6.2-RELEASE FreeBSD 6.1-RELEASE FreeBSD 6.0-RELEASE FreeBSD 6.0-RELEASE and Ports FreeBSD 5.5-RELEASE FreeBSD 5.5-RELEASE and Ports FreeBSD 5.4-RELEASE FreeBSD 5.4-RELEASE and Ports FreeBSD 5.3-RELEASE FreeBSD 5.3-RELEASE and Ports FreeBSD 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE and Ports FreeBSD 5.2-RELEASE FreeBSD 5.2-RELEASE and Ports FreeBSD 5.1-RELEASE FreeBSD 5.0-RELEASE FreeBSD 4.11-RELEASE FreeBSD 4.11-RELEASE and Ports FreeBSD 4.10-RELEASE FreeBSD 4.10-RELEASE and Ports FreeBSD 4.9-RELEASE FreeBSD 4.9-RELEASE and Ports FreeBSD 4.8-RELEASE FreeBSD 4.8-RELEASE and Ports FreeBSD 4.7-RELEASE FreeBSD 4.6.2-RELEASE FreeBSD 4.6.2-RELEASE and Ports FreeBSD 4.6-RELEASE FreeBSD 4.6-RELEASE and Ports FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE and Ports FreeBSD 4.4-RELEASE FreeBSD 4.3-RELEASE FreeBSD 4.3-RELEASE and Ports FreeBSD 4.2-RELEASE FreeBSD 4.2-RELEASE and Ports FreeBSD 4.1.1-RELEASE FreeBSD 4.1.1-RELEASE and Ports FreeBSD 4.1-RELEASE FreeBSD 4.0-RELEASE FreeBSD 3.5.1-RELEASE FreeBSD 3.5.1-RELEASE and Ports FreeBSD 3.5-RELEASE and Ports FreeBSD 3.4-RELEASE FreeBSD 3.4-RELEASE and Ports FreeBSD 3.3-RELEASE FreeBSD 3.2-RELEASE FreeBSD 3.1-RELEASE FreeBSD 3.0-RELEASE FreeBSD 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE and Ports FreeBSD 2.2.7-RELEASE FreeBSD 2.2.6-RELEASE FreeBSD 2.2.5-RELEASE FreeBSD 2.2.2-RELEASE FreeBSD 2.2.1-RELEASE FreeBSD 2.1.7.1-RELEASE FreeBSD 2.1.6.1-RELEASE FreeBSD 2.1.5-RELEASE FreeBSD 2.1.0-RELEASE FreeBSD 2.0.5-RELEASE FreeBSD 2.0-RELEASE FreeBSD 1.1.5.1-RELEASE FreeBSD 1.1-RELEASE FreeBSD 1.0-RELEASE FreeBSD Ports 14.3 FreeBSD Ports 14.3.quarterly FreeBSD Ports 14.2 FreeBSD Ports 14.1 FreeBSD Ports 14.0 FreeBSD Ports 13.5 FreeBSD Ports 13.4 FreeBSD Ports 13.3 FreeBSD Ports 13.2 FreeBSD Ports 13.1 FreeBSD Ports 13.0 FreeBSD Ports 12.4 FreeBSD Ports 12.3 FreeBSD Ports 12.2 FreeBSD Ports 12.1 FreeBSD Ports 12.0 FreeBSD Ports 11.4 FreeBSD Ports 11.3 FreeBSD Ports 11.2 FreeBSD Ports 11.1 FreeBSD Ports 11.0 FreeBSD Ports 10.4 FreeBSD Ports 10.3 FreeBSD Ports 10.2 FreeBSD Ports 10.1 FreeBSD Ports 10.0 FreeBSD Ports 9.3 FreeBSD Ports 9.2 FreeBSD Ports 9.1 FreeBSD Ports 9.0 FreeBSD Ports 8.4 FreeBSD Ports 8.3 FreeBSD Ports 8.2 FreeBSD Ports 8.1 FreeBSD Ports 8.0 FreeBSD Ports 7.4 FreeBSD Ports 7.3 FreeBSD Ports 7.2 FreeBSD Ports 7.1 FreeBSD Ports 7.0 FreeBSD Ports 6.4 FreeBSD Ports 6.3 FreeBSD Ports 6.2 FreeBSD Ports 6.0 FreeBSD Ports 5.5 FreeBSD Ports 5.4 FreeBSD Ports 5.3 FreeBSD Ports 5.2.1 FreeBSD Ports 5.2 FreeBSD Ports 5.1 FreeBSD Ports 4.11 FreeBSD Ports 4.10 FreeBSD Ports 4.9 FreeBSD Ports 4.8 FreeBSD Ports 4.7 FreeBSD Ports 4.6.2 FreeBSD Ports 4.6 FreeBSD Ports 4.5 FreeBSD Ports 4.3 FreeBSD Ports 4.2 FreeBSD Ports 4.1.1 FreeBSD Ports 3.5.1 FreeBSD Ports 3.5 FreeBSD Ports 3.4 FreeBSD Ports 2.2.8 4.4BSD Lite2 4.3BSD NET/2 4.3BSD Reno 2.11 BSD 2.10 BSD 2.9.1 BSD 2.8 BSD 386BSD 0.1 386BSD 0.0 CentOS 7.9 CentOS 7.8 CentOS 7.7 CentOS 7.6 CentOS 7.5 CentOS 7.4 CentOS 7.3 CentOS 7.2 CentOS 7.1 CentOS 7.0 CentOS 6.10 CentOS 6.9 CentOS 6.8 CentOS 6.7 CentOS 6.6 CentOS 6.5 CentOS 6.4 CentOS 6.3 CentOS 6.2 CentOS 6.1 CentOS 6.0 CentOS 5.11 CentOS 5.10 CentOS 5.9 CentOS 5.8 CentOS 5.7 CentOS 5.6 CentOS 5.5 CentOS 5.4 CentOS 4.8 CentOS 3.9 Darwin 8.0.1/ppc Darwin 7.0.1 Darwin 6.0.2/x86 Darwin 1.4.1/x86 Darwin 1.3.1/x86 Debian 13.0 unstable Debian 12.11.0 Debian 11.11.0 Debian 10.13.0 Debian 9.13.0 Debian 8.11.1 Debian 7.11.0 Debian 6.0.10 Debian 5.0.10 Debian 4.0.9 Debian 3.1.8 Debian 2.2.7 Debian 2.0.0 Dell UNIX SVR4 2.2 DragonFly 6.4.0 DragonFly 5.8.3 DragonFly 4.8.1 DragonFly 3.8.2 DragonFly 2.10.1 DragonFly 1.12.1 DragonFly 1.0A HP-UX 11.22 HP-UX 11.20 HP-UX 11.11 HP-UX 11.00 HP-UX 10.20 HP-UX 10.10 HP-UX 10.01 HP-UX 9.07 HP-UX 8.07 Inferno 4th Edition IRIX 6.5.30 Linux Slackware 3.1 MACH 2.5/i386 macOS 15.5.0 macOS 14.7.5 macOS 13.6.5 macOS 12.7.3 macOS 11.1 macOS 10.15.0 macOS 10.13.6 macOS 10.12.0 Minix 3.3.0 Minix 3.2.1 Minix 3.2.0 Minix 3.1.7 Minix 3.1.6 Minix 3.1.5 Minix 2.0.0 NetBSD 10.1 NetBSD 10.0 NetBSD 9.4 NetBSD 9.3 NetBSD 9.2 NetBSD 9.1 NetBSD 9.0 NetBSD 8.2 NetBSD 8.1 NetBSD 8.0 NetBSD 7.1 NetBSD 7.0 NetBSD 6.1.5 NetBSD 6.0 NetBSD 5.1 NetBSD 5.0 NetBSD 4.0.1 NetBSD 4.0 NetBSD 3.1 NetBSD 3.0 NetBSD 2.1 NetBSD 2.0.2 NetBSD 2.0 NetBSD 1.6.2 NetBSD 1.6.1 NetBSD 1.6 NetBSD 1.5.3 NetBSD 1.5.2 NetBSD 1.5.1 NetBSD 1.5 NetBSD 1.4.3 NetBSD 1.4.2 NetBSD 1.4.1 NetBSD 1.4 NetBSD 1.3.3 NetBSD 1.3.2 NetBSD 1.3.1 NetBSD 1.3 NetBSD 1.2.1 NetBSD 1.2 NetBSD 1.1 NetBSD 1.0 NeXTSTEP 3.3 OpenBSD 7.7 OpenBSD 7.6 OpenBSD 7.5 OpenBSD 7.4 OpenBSD 7.3 OpenBSD 7.2 OpenBSD 7.1 OpenBSD 7.0 OpenBSD 6.9 OpenBSD 6.8 OpenBSD 6.7 OpenBSD 6.6 OpenBSD 6.5 OpenBSD 6.4 OpenBSD 6.3 OpenBSD 6.2 OpenBSD 6.1 OpenBSD 6.0 OpenBSD 5.9 OpenBSD 5.8 OpenBSD 5.7 OpenBSD 5.6 OpenBSD 5.5 OpenBSD 5.4 OpenBSD 5.3 OpenBSD 5.2 OpenBSD 5.1 OpenBSD 5.0 OpenBSD 4.9 OpenBSD 4.8 OpenBSD 4.7 OpenBSD 4.6 OpenBSD 4.5 OpenBSD 4.4 OpenBSD 4.3 OpenBSD 4.2 OpenBSD 4.1 OpenBSD 4.0 OpenBSD 3.9 OpenBSD 3.8 OpenBSD 3.7 OpenBSD 3.6 OpenBSD 3.5 OpenBSD 3.4 OpenBSD 3.3 OpenBSD 3.2 OpenBSD 3.1 OpenBSD 3.0 OpenBSD 2.9 OpenBSD 2.8 OpenBSD 2.7 OpenBSD 2.6 OpenBSD 2.5 OpenBSD 2.4 OpenBSD 2.3 OpenBSD 2.2 OpenBSD 2.1 OpenBSD 2.0 OpenDarwin 7.2.1 OpenDarwin 6.6.2/x86 OpenDarwin 6.6.1/x86 OpenDarwin 20030208pre4/ppc OpenIndiana 2024.10 OpenIndiana 2022.10 OpenIndiana 2020.10 OpenIndiana 2017.10 OpenIndiana 2015.10 OpenIndiana 2013.08 OpenSolaris 2010.03 OpenSolaris 2009.06 OpenStep 4.2 openSUSE 42.3 openSUSE 42.2 openSUSE 42.1 openSUSE 15.6 openSUSE 15.5 openSUSE 15.4 openSUSE 15.3 openSUSE 15.2 openSUSE 15.1 openSUSE 15.0 openSUSE 13.2 openSUSE 13.1 openSUSE 11.4 openSUSE 11.3 openSUSE 11.2 openSUSE 10.3 openSUSE 10.2 OSF1 V5.1/alpha OSF1 V4.0/alpha OSF1 V1.0/mips Plan 9 Red Hat 9.0 Red Hat 8.0 Red Hat 7.3 Red Hat 7.2 Red Hat 7.1 Red Hat 7.0 Red Hat 6.2 Red Hat 6.1 Red Hat 5.2 Red Hat 5.0 Red Hat 4.2 Rhapsody DR1 Rhapsody DR2 Rocky 10.0 Rocky 9.6 Rocky 9.5 Rocky 9.4 Rocky 9.3 Rocky 9.2 Rocky 9.1 Rocky 9.0 Rocky 8.10 Rocky 8.9 Rocky 8.8 Rocky 8.7 Rocky 8.6 Rocky 8.5 Rocky 8.4 Rocky 8.3 Sun UNIX 0.4 SunOS 5.10 SunOS 5.9 SunOS 5.8 SunOS 5.7 SunOS 5.6 SunOS 5.5.1 SunOS 4.1.3 SuSE 11.3 SuSE 11.2 SuSE 11.1 SuSE 11.0 SuSE 10.3 SuSE 10.2 SuSE 10.1 SuSE 10.0 SuSE 9.3 SuSE 9.2 SuSE 8.2 SuSE 8.1 SuSE 8.0 SuSE 7.3 SuSE 7.2 SuSE 7.1 SuSE 7.0 SuSE 6.4 SuSE 6.3 SuSE 6.1 SuSE 6.0 SuSE 5.3 SuSE 5.2 SuSE 5.0 SuSE 4.3 SuSE ES 10 SP1 Ubuntu 24.04 noble Ubuntu 23.10 mantic Ubuntu 22.04 jammy Ubuntu 20.04 focal Ubuntu 18.04 bionic Ubuntu 16.04 xenial Ubuntu 14.04 trusty ULTRIX 4.2 Ultrix-32 2.0/VAX Unix Seventh Edition X11R7.4 X11R7.3.2 X11R7.2 X11R6.9.0 X11R6.8.2 X11R6.7.0 XFree86 4.8.0 XFree86 4.7.0 XFree86 4.6.0 XFree86 4.5.0 XFree86 4.4.0 XFree86 4.3.0 XFree86 4.2.99.3 XFree86 4.2.0 XFree86 4.1.0 XFree86 4.0.2 XFree86 4.0.1 XFree86 4.0 XFree86 3.3.6 XFree86 3.3 XFree86 2.1 All Architectures html pdf ascii

home | help

---

NATD(8)			    System Manager's Manual		       NATD(8)

NAME
       natd -- Network Address Translation daemon

SYNOPSIS
       natd  [-unregistered_only  |  -u]  [-log	| -l] [-proxy_only] [-reverse]
	    [-deny_incoming | -d]  [-use_sockets  |  -s]  [-same_ports	|  -m]
	    [-verbose	 |    -v]    [-dynamic]	   [-in_port	|   -i	 port]
	    [-out_port	  |	-o     port]	 [-port	    |	  -p	 port]
	    [-alias_address  |	-a  address]  [-target_address	|  -t address]
	    [-interface	   |	-n    interface]    [-proxy_rule    proxyspec]
	    [-redirect_port	 linkspec]	[-redirect_proto     linkspec]
	    [-redirect_address	 linkspec]   [-config	|    -f	   configfile]
	    [-instance	  instancename]	  [-globalport	 port]	 [-log_denied]
	    [-log_facility    facility_name]	[-punch_fw     firewall_range]
	    [-skinny_port  port]  [-log_ipfw_denied]  [-pid_file | -P pidfile]
	    [-exit_delay | -P ms]

DESCRIPTION
       The natd	utility	provides a Network Address  Translation	 facility  for
       use with	divert(4) sockets under	FreeBSD.

       (If  you	 need  NAT on a	PPP link, ppp(8) provides the -nat option that
       gives most of the natd functionality, and uses the same libalias(3) li-
       brary.)

       The natd	utility	normally runs in the background	as a  daemon.	It  is
       passed  raw  IP packets as they travel into and out of the machine, and
       will possibly change these before re-injecting them back	 into  the  IP
       packet stream.

       It  changes  all	packets	destined for another host so that their	source
       IP address is that of the current machine.  For each packet changed  in
       this  manner,  an  internal table entry is created to record this fact.
       The source port number is also changed to indicate the table entry  ap-
       plying  to  the	packet.	 Packets that are received with	a target IP of
       the current host	are checked against this internal table.  If an	 entry
       is  found,  it  is  used	to determine the correct target	IP address and
       port to place in	the packet.

       The following command line options are available:

       -log | -l   Log various aliasing	statistics and information to the file
		   /var/log/alias.log.	This file is truncated each time  natd
		   is started.

       -deny_incoming |	-d
		   Do  not pass	incoming packets that have no entry in the in-
		   ternal translation table.

		   If this option is not used, then such a packet will be  al-
		   tered using the rules in -target_address below, and the en-
		   try will be made in the internal translation	table.

       -log_denied
		   Log	 denied	 incoming  packets  via	 syslog(3)  (see  also
		   -log_facility).

       -log_facility facility_name
		   Use specified log facility  when  logging  information  via
		   syslog(3).	Argument  facility_name	is one of the keywords
		   specified in	syslog.conf(5).

       -use_sockets | -s
		   Allocate a socket(2)	in order to establish an FTP  data  or
		   IRC	DCC send connection.  This option uses more system re-
		   sources, but	guarantees successful  connections  when  port
		   numbers conflict.

       -same_ports | -m
		   Try	to  keep  the  same port number	when altering outgoing
		   packets.  With this option, protocols such as RPC will have
		   a better chance of working.	If it is not possible to main-
		   tain	the port number, it will be silently  changed  as  per
		   normal.

       -verbose	| -v
		   Do  not  call daemon(3) on startup.	Instead, stay attached
		   to the controlling terminal and display all	packet	alter-
		   ations  to the standard output.  This option	should only be
		   used	for debugging purposes.

       -unregistered_only | -u
		   Only	alter outgoing packets with an unregistered source ad-
		   dress.  According to	 RFC  1918,  unregistered  source  ad-
		   dresses are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.

       -redirect_port	       proto	      targetIP:targetPORT[-targetPORT]
		   [aliasIP:]aliasPORT[-aliasPORT]
		   [remoteIP[:remotePORT[-remotePORT]]]
		   Redirect incoming connections arriving to given port(s)  to
		   another  host and port(s).  Argument	proto is either	tcp or
		   udp,	targetIP is the	desired	target IP address,  targetPORT
		   is  the  desired  target port number	or range, aliasPORT is
		   the requested port number or	 range,	 and  aliasIP  is  the
		   aliasing address.  Arguments	remoteIP and remotePORT	can be
		   used	 to  specify  the connection more accurately if	neces-
		   sary.  If remotePORT	is not specified, it is	assumed	to  be
		   all ports.

		   Arguments targetIP, aliasIP and remoteIP can	be given as IP
		   addresses  or  as hostnames.	 The targetPORT, aliasPORT and
		   remotePORT ranges need not be  the  same  numerically,  but
		   must	 have  the  same  size.	 When targetPORT, aliasPORT or
		   remotePORT specifies	a singular value (not a	range),	it can
		   be given as a service name that  is	searched  for  in  the
		   services(5) database.

		   For example,	the argument

			 tcp inside1:telnet 6666

		   means  that	incoming TCP packets destined for port 6666 on
		   this	machine	will be	sent to	the telnet port	on the inside1
		   machine.

			 tcp inside2:2300-2399 3300-3399

		   will	redirect incoming connections on  ports	 3300-3399  to
		   host	 inside2, ports	2300-2399.  The	mapping	is 1:1 meaning
		   port	3300 maps to 2300, 3301	maps to	2301, etc.

       -redirect_proto proto localIP [publicIP [remoteIP]]
		   Redirect  incoming  IP  packets  of	protocol  proto	  (see
		   protocols(5))  destined  for	 publicIP address to a localIP
		   address and vice versa.

		   If publicIP is not specified, then the default aliasing ad-
		   dress is used.  If remoteIP is specified, then only packets
		   coming from/to remoteIP will	match the rule.

       -redirect_address localIP publicIP
		   Redirect traffic for	public IP address to a machine on  the
		   local network.  This	function is known as static NAT.  Nor-
		   mally  static  NAT  is  useful  if your ISP has allocated a
		   small block of IP addresses to you, but it can even be used
		   in the case of single address:

			 redirect_address 10.0.0.8 0.0.0.0

		   The above command would redirect all	 incoming  traffic  to
		   machine 10.0.0.8.

		   If  several address aliases specify the same	public address
		   as follows

			 redirect_address 192.168.0.2 public_addr
			 redirect_address 192.168.0.3 public_addr
			 redirect_address 192.168.0.4 public_addr

		   the incoming	traffic	will be	directed to  the  last	trans-
		   lated  local	 address  (192.168.0.4),  but outgoing traffic
		   from	the first two addresses	will still be aliased  to  ap-
		   pear	from the specified public_addr.

       -redirect_port	proto  targetIP:targetPORT[,targetIP:targetPORT[,...]]
		   [aliasIP:]aliasPORT [remoteIP[:remotePORT]]

       -redirect_address localIP[,localIP[,...]] publicIP
		   These forms of  -redirect_port  and	-redirect_address  are
		   used	 to  transparently  offload  network  load on a	single
		   server and distribute the load across a  pool  of  servers.
		   This	 function  is known as LSNAT (RFC 2391).  For example,
		   the argument

			 tcp www1:http,www2:http,www3:http www:http

		   means that incoming HTTP requests  for  host	 www  will  be
		   transparently  redirected to	one of the www1, www2 or www3,
		   where a host	is selected simply  on	a  round-robin	basis,
		   without regard to load on the net.

       -dynamic	   If  the  -n or -interface option is used, natd will monitor
		   the routing socket for alterations to the interface passed.
		   If the interface's IP address is changed, natd will dynami-
		   cally alter its concept of the alias	address.

       -in_port	| -i port
		   Read	from and write to divert(4) port  port,	 treating  all
		   packets as "incoming".

       -out_port | -o port
		   Read	 from  and  write to divert(4) port port, treating all
		   packets as "outgoing".

       -port | -p port
		   Read	from and write to divert(4) port port,	distinguishing
		   packets  as "incoming" or "outgoing"	using the rules	speci-
		   fied	in divert(4).  If port is not numeric, it is  searched
		   for	in  the	 services(5)  database.	 If this option	is not
		   specified, the divert port named natd will be used as a de-
		   fault.

       -alias_address |	-a address
		   Use address as the aliasing address.	 Either	 this  or  the
		   -interface  option  must  be	 used  (but  not both),	if the
		   -proxy_only option is not specified.	 The specified address
		   is usually the address assigned to the "public" network in-
		   terface.

		   All data passing out	will be	rewritten with	a  source  ad-
		   dress equal to address.  All	data coming in will be checked
		   to  see  if it matches any already-aliased outgoing connec-
		   tion.  If it	does, the packet is altered  accordingly.   If
		   not,	    all	    -redirect_port,	-redirect_proto	   and
		   -redirect_address assignments are checked and actioned.  If
		   no other action can be made and if  -deny_incoming  is  not
		   specified, the packet is delivered to the local machine us-
		   ing the rules specified in -target_address option below.

       -t | -target_address address
		   Set	the target address.  When an incoming packet not asso-
		   ciated with any pre-existing	link arrives at	the  host  ma-
		   chine, it will be sent to the specified address.

		   The	target address may be set to 255.255.255.255, in which
		   case	all new	incoming packets go to the alias  address  set
		   by -alias_address or	-interface.

		   If  this  option  is	 not used, or called with the argument
		   0.0.0.0, then all new incoming packets go  to  the  address
		   specified  in the packet.  This allows external machines to
		   talk	directly to internal machines if they can route	 pack-
		   ets to the machine in question.

       -interface | -n interface
		   Use	interface to determine the aliasing address.  If there
		   is a	 possibility  that  the	 IP  address  associated  with
		   interface  may  change,  the	-dynamic option	should also be
		   used.  If this option is not	specified, the	-alias_address
		   option must be used.

		   The	 specified  interface  is  usually  the	 "public"  (or
		   "external") network interface.

       -config | -f file
		   Read	configuration from file.  A file should	contain	a list
		   of options, one per line, in	the same form as the long form
		   of the above	command	line options.  For example, the	line

			 alias_address 158.152.17.1

		   would specify an alias address  of  158.152.17.1.   Options
		   that	do not take an argument	are specified with an argument
		   of  yes  or no in the configuration file.  For example, the
		   line

			 log yes

		   is synonymous with -log.

		   Options can be divided to several sections.	 Each  section
		   applies to own natd instance.  This ability allows the con-
		   figuration  of  one natd process for	several	NAT instances.
		   The first instance that always exists is  a	"default"  in-
		   stance.  Each another instance should begin with

			 instance instance_name

		   At the next should be placed	a configuration	option.	 Exam-
		   ple:

			 # default instance
			 port 8668
			 alias_address 158.152.17.1

			 # second instance
			 instance dsl1
			 port 8888
			 alias_address 192.168.0.1

		   Trailing  spaces  and  empty	lines are ignored.  A `#' sign
		   will	mark the rest of the line as a comment.

       -instance instancename
		   This	option switches	command	 line  options	processing  to
		   configure  instance instancename (creating it if necessary)
		   till	the next -instance option or end of command line.   It
		   is easier to	set up multiple	instances in the configuration
		   file	 specified  with  the  -config option rather than on a
		   command line.

       -globalport port
		   Read	from and write to divert(4) port  port,	 treating  all
		   packets  as "outgoing".  This option	is intended to be used
		   with	multiple instances: packets received on	this port  are
		   checked  against  internal translation tables of every con-
		   figured instance.  If an entry is found, packet is  aliased
		   according  to  that entry.  If no entry was found in	any of
		   the instances, packet is passed unchanged, and no new entry
		   will	be created.  See the section "MULTIPLE INSTANCES"  for
		   more	details.

       -reverse	   This	  option   makes  natd	reverse	 the  way  it  handles
		   "incoming" and "outgoing" packets, allowing it  to  operate
		   on	the  "internal"	 network  interface  rather  than  the
		   "external" one.

		   This	can be useful in some transparent proxying  situations
		   when	 outgoing  traffic  is redirected to the local machine
		   and natd is running on the internal interface  (it  usually
		   runs	on the external	interface).

       -proxy_only
		   Force  natd	to  perform transparent	proxying only.	Normal
		   address translation is not performed.

       -proxy_rule [type encode_ip_hdr | encode_tcp_stream] port  xxxx	server
		   a.b.c.d:yyyy
		   Enable transparent proxying.	 Outgoing TCP packets with the
		   given  port	going  through this host to any	other host are
		   redirected to the given server and port.   Optionally,  the
		   original  target  address  can  be encoded into the packet.
		   Use encode_ip_hdr to	put this information into the  IP  op-
		   tion	field or encode_tcp_stream to inject the data into the
		   beginning of	the TCP	stream.

       -punch_fw basenumber:count
		   This	  option   directs   natd   to	"punch	holes"	in  an
		   ipfirewall(4) based firewall	for FTP/IRC  DCC  connections.
		   This	 is  done dynamically by installing temporary firewall
		   rules which allow a particular connection  (and  only  that
		   connection)	to go through the firewall.  The rules are re-
		   moved once the corresponding	connection terminates.

		   A maximum of	count rules  starting  from  the  rule	number
		   basenumber  will  be	used for punching firewall holes.  The
		   range will be cleared for all rules on startup.   This  op-
		   tion	 has no	effect when the	kernel is in security level 3,
		   see init(8) for more	information.

       -skinny_port port
		   This	option allows you to specify the TCP port used for the
		   Skinny Station protocol.  Skinny is used by Cisco IP	phones
		   to communicate with Cisco Call Managers  to	set  up	 voice
		   over	 IP  calls.   By  default, Skinny aliasing is not per-
		   formed.  The	typical	port value for Skinny is 2000.

       -log_ipfw_denied
		   Log when a packet cannot be re-injected because an  ipfw(8)
		   rule	blocks it.  This is the	default	with -verbose.

       -pid_file | -P file
		   Specify an alternate	file in	which to store the process ID.
		   The default is /var/run/natd.pid.

       -exit_delay ms
		   Specify  delay  in ms before	daemon exit after signal.  The
		   default is 10000.

RUNNING	NATD
       The following steps are necessary before	attempting to run natd:

       1.   Build a custom kernel with the following options:

		  options IPFIREWALL
		  options IPDIVERT

	    Refer to the handbook for detailed instructions on building	a cus-
	    tom	kernel.

       2.   Ensure that	your machine is	acting as a gateway.  This can be done
	    by specifying the line

		  gateway_enable=YES

	    in the /etc/rc.conf	file or	using the command

		  sysctl net.inet.ip.forwarding=1

       3.   If you use the -interface option, make sure	that your interface is
	    already configured.	 If, for example, you wish to  specify	`tun0'
	    as your interface, and you are using ppp(8)	on that	interface, you
	    must make sure that	you start ppp prior to starting	natd.

       Running natd is fairly straight forward.	 The line

	     natd -interface ed0

       should suffice in most cases (substituting the correct interface	name).
       Please  check rc.conf(5)	on how to configure it to be started automati-
       cally during boot.  Once	natd is	running, you must ensure that  traffic
       is diverted to natd:

       1.   You	 will need to adjust the /etc/rc.firewall script to taste.  If
	    you	are not	interested in having a firewall, the  following	 lines
	    will do:

		  /sbin/ipfw -f	flush
		  /sbin/ipfw add divert	natd all from any to any via ed0
		  /sbin/ipfw add pass all from any to any

	    The	 second	line depends on	your interface (change `ed0' as	appro-
	    priate).

	    You	should be aware	of the fact that,  with	 these	firewall  set-
	    tings,  everyone on	your local network can fake his	source-address
	    using your host as gateway.	 If there are other hosts on your  lo-
	    cal	 network, you are strongly encouraged to create	firewall rules
	    that only allow traffic to and from	trusted	hosts.

	    If you specify real	firewall rules,	it is best to specify  line  2
	    at	the  start  of the script so that natd sees all	packets	before
	    they are dropped by	the firewall.

	    After translation by natd, packets re-enter	the  firewall  at  the
	    rule  number  following  the rule number that caused the diversion
	    (not the next rule if there	are several at the same	number).

       2.   Enable your	firewall by setting

		  firewall_enable=YES

	    in /etc/rc.conf.  This tells the system startup scripts to run the
	    /etc/rc.firewall script.  If you do	not wish to reboot  now,  just
	    run	 this  by hand from the	console.  NEVER	run this from a	remote
	    session unless you put it into the background.   If	 you  do,  you
	    will  lock yourself	out after the flush takes place, and execution
	    of /etc/rc.firewall	will stop at this point	 -  blocking  all  ac-
	    cesses  permanently.   Running the script in the background	should
	    be enough to prevent this disaster.

MULTIPLE INSTANCES
       It is not so uncommon to	have a need of aliasing	to several external IP
       addresses.  While this traditionally was	achieved  by  running  several
       natd  processes with independent	configurations,	natd can have multiple
       aliasing	instances in a single process, also allowing them to be	not so
       independent of each other.  For example,	let us see a  common  task  of
       load  balancing	two  channels to different providers on	a machine with
       two external interfaces `sis0' (with IP 1.2.3.4)	and  `sis2'  (with  IP
       2.3.4.5):

		       net 1.2.3.0/24
	     1.2.3.1 ------------------	sis0
	     (router)		     (1.2.3.4)
						      net 10.0.0.0/24
					       sis1 -------------------	10.0.0.2
					    (10.0.0.1)
		       net 2.3.4.0/24
	     2.3.4.1 ------------------	sis2
	     (router)		     (2.3.4.5)

       Default route is	out via	`sis0'.

       Interior	 machine (10.0.0.2) is accessible on TCP port 122 through both
       exterior	IPs, and outgoing connections choose a path  randomly  between
       `sis0' and `sis2'.

       The way this works is that natd.conf builds two instances of the	alias-
       ing engine.

       In  addition  to	 these	instances'  private divert(4) sockets, a third
       socket called the "globalport" is created; packets  sent	 to  natd  via
       this one	will be	matched	against	all instances and translated if	an ex-
       isting entry is found, and unchanged if no entry	is found.  The follow-
       ing lines are placed into /etc/natd.conf:

	     log
	     deny_incoming
	     verbose

	     instance default
	     interface sis0
	     port 1000
	     redirect_port tcp 10.0.0.2:122 122

	     instance sis2
	     interface sis2
	     port 2000
	     redirect_port tcp 10.0.0.2:122 122

	     globalport	3000

       And the following ipfw(8) rules are used:

	     ipfw -f flush

	     ipfw add	   allow ip from any to	any via	sis1

	     ipfw add	   skipto 1000 ip from any to any in via sis0
	     ipfw add	   skipto 2000 ip from any to any out via sis0
	     ipfw add	   skipto 3000 ip from any to any in via sis2
	     ipfw add	   skipto 4000 ip from any to any out via sis2

	     ipfw add 1000 count ip from any to	any

	     ipfw add	   divert 1000 ip from any to any
	     ipfw add	   allow ip from any to	any

	     ipfw add 2000 count ip from any to	any

	     ipfw add	   divert 3000 ip from any to any

	     ipfw add	   allow ip from 1.2.3.4 to any
	     ipfw add	   skipto 5000 ip from 2.3.4.5 to any

	     ipfw add	   prob	.5 skipto 4000 ip from any to any

	     ipfw add	   divert 1000 ip from any to any
	     ipfw add	   allow ip from any to	any

	     ipfw add 3000 count ip from any to	any

	     ipfw add	   divert 2000 ip from any to any
	     ipfw add	   allow ip from any to	any

	     ipfw add 4000 count ip from any to	any

	     ipfw add	   divert 2000 ip from any to any

	     ipfw add 5000 fwd 2.3.4.1 ip from 2.3.4.5 to not 2.3.4.0/24
	     ipfw add	   allow ip from any to	any

       Here  the  packet from internal network to Internet goes	out via	`sis0'
       (rule number 2000) and gets caught by  the  globalport  socket  (3000).
       After  that,  either  a match is	found in a translation table of	one of
       the two instances, or the packet	is passed to  one  of  the  two	 other
       divert(4)  ports	 (1000 or 2000), with equal probability.  This ensures
       that load balancing is done on a	per-flow basis (i.e., packets  from  a
       single  TCP connection always flow through the same interface).	Trans-
       lated packets with source IP of a non-default  interface	 (`sis2')  are
       forwarded to the	appropriate router on that interface.

SEE ALSO
       libalias(3),    divert(4),   protocols(5),   rc.conf(5),	  services(5),
       syslog.conf(5), init(8),	ipfw(8), ppp(8)

HISTORY
       The natd	utility	appeared in FreeBSD 3.0.

AUTHORS
       This program is the result of the efforts of many people	 at  different
       times:

       Archie Cobbs <archie@FreeBSD.org> (divert sockets)
       Charles Mott <cm@linktel.net> (packet aliasing)
       Eivind Eklund <perhaps@yes.no> (IRC support & misc additions)
       Ari Suutari <suutari@iki.fi> (natd)
       Dru Nelson <dnelson@redwoodsoft.com> (early PPTP	support)
       Brian Somers <brian@awfulhak.org> (glue)
       Ruslan Ermilov <ru@FreeBSD.org> (natd, packet aliasing, glue)
       Poul-Henning Kamp <phk@FreeBSD.org> (multiple instances)

FreeBSD	14.3			October	5, 2016			       NATD(8)

---

NAME | SYNOPSIS | DESCRIPTION | RUNNING NATD | MULTIPLE INSTANCES | SEE ALSO | HISTORY | AUTHORS

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=natd&manpath=FreeBSD+14.3-RELEASE+and+Ports>

home | help

---

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact