From owner-man-jp-reviewer@jp.freebsd.org  Mon Jan 24 00:44:31 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id AAA52357;
	Mon, 24 Jan 2000 00:44:31 +0900 (JST)
	(envelope-from owner-man-jp-reviewer@jp.FreeBSD.org)
Received: from serio.al.rim.or.jp (serio.al.rim.or.jp [202.247.191.123])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id AAA52352
	for <man-jp-reviewer@jp.freebsd.org>; Mon, 24 Jan 2000 00:44:30 +0900 (JST)
	(envelope-from kuma@nk.rim.or.jp)
Received: from mail1.rim.or.jp by serio.al.rim.or.jp (8.8.8/3.7W/HMX-12) with ESMTP id AAA28717 for <man-jp-reviewer@jp.freebsd.org>; Mon, 24 Jan 2000 00:44:30 +0900 (JST)
Received: from laurel.nk.rim.or.jp (JYOcd-01p106.ppp.odn.ad.jp [210.252.246.106]) by mail1.rim.or.jp (3.7W/)
	id AAA28299 for <man-jp-reviewer@jp.freebsd.org>; Mon, 24 Jan 2000 00:44:28 +0900 (JST)
Received: from oasis.laurel.nk.rim.or.jp by laurel.nk.rim.or.jp (8.9.3/8.9.3oasis991011) with ESMTP id AAA00714
	for <man-jp-reviewer@jp.freebsd.org>; Mon, 24 Jan 2000 00:44:17 +0900 (JST)
Message-Id: <200001231544.AAA00714@laurel.nk.rim.or.jp>
To: man-jp-reviewer@jp.freebsd.org
Date: Mon, 24 Jan 2000 00:44:17 +0900
From: Norihiro Kumagai <kuma@nk.rim.or.jp>
Reply-To: man-jp-reviewer@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+990727
X-Sequence: man-jp-reviewer 1952
Subject: [man-jp-reviewer 1952] ipnat.5
Errors-To: owner-man-jp-reviewer@jp.freebsd.org
Sender: owner-man-jp-reviewer@jp.freebsd.org
X-Originator: kuma@nk.rim.or.jp

$B7'C+$G$9!#(B

ipnat.5 $B$G$9!#(B

unregulated round robin fassion $B$C$F2?$@$m$&!)(B

source address: $B%=!<%9%"%I%l%9(B
destination address: $B%G%9%F%#%M!<%7%g%s%"%I%l%9(B

$B$HLu$7$F$_$^$7$?!#E}0lE*Lu8l$"$j$^$7$?$C$1!)(B

--
$B7'C+(B $BE5Bg(B

--- ipnat-en.5-org	Tue Jan 18 16:57:36 2000
+++ ipnat.5	Fri Jan 21 00:51:05 2000
@@ -1,8 +1,9 @@
 .TH IPNAT 5
-.SH NAME
-ipnat, ipnat.conf \- IP NAT file format
-.SH DESCRIPTION
-The format for files accepted by ipnat is described by the following grammar:
+.\" jpman %Id: ipnat.5,v 1.3 1998/09/22 14:16:13 horikawa Stab %
+.SH $BL>>N(B
+ipnat, ipnat.conf \- IP NAT $B%U%!%$%k$N7A<0(B
+.SH $B2r@b(B
+ipnat $B$,<u$1IU$1$k%U%!%$%k$N7A<0$O!"0J2<$NJ8K!$G5-=R$5$l$k$b$N$G$9!#(B
 .LP
 .nf
 ipmap :: = mapblock | redir | map .
@@ -23,136 +24,120 @@
 numbers ::= '0' | '1' | '2' | '3' | '4' | '5' | '6' | '7' | '8' | '9' .
 .fi
 .PP
-For standard NAT functionality, a rule should start with \fBmap\fP and then
-proceeds to specify the interface for which outgoing packets will have their
-source address rewritten.
-.PP
-Packets which will be rewritten can only be selected by matching the original
-source address.  A netmask must be specified with the IP address.
-.PP
-The address selected for replacing the original is chosen from an IP#/netmask
-pair.  A netmask of all 1's indicating a hostname is valid.  A netmask of
-31 1's (255.255.255.254) is considered invalid as there is no space for
-allocating host IP#'s after consideration for broadcast and network
-addresses.
-.PP
-When remapping TCP and UDP packets, it is also possible to change the source
-port number.  Either TCP or UDP or both can be selected by each rule, with a
-range of port numbers to remap into given as \fBport-number:port-number\fP.
-.SH COMMANDS
-There are found commands recognised by IP Filter's NAT code:
+$BI8=`E*$J(B NAT $B5!G=$G$O!"$R$H$D$N%k!<%k$O(B \fBmap\fP $B$G;O$^$j!"(B
+$B$=$N8e$K%$%s%?%U%'!<%9$N;XDj$,B3$-$^$9!#$=$N%$%s%?%U%'!<%9$+$i(B
+$B%Q%1%C%H$,=P$F9T$/:]$K%=!<%9%"%I%l%9$,=q$-49$($i$l$^$9!#(B
+.PP
+$B=q$-49$($i$l$k%Q%1%C%H$NA*Br$O!"$b$H$N%=!<%9%"%I%l%9$H$N>H9g$N$_$G(B
+$B9T$J$o$l$^$9!#(BIP $B%"%I%l%9$N;XDj$K$O%M%C%H%^%9%/$r;XDj$9$kI,MW$,(B
+$B$"$j$^$9!#(B
+.PP
+$B$b$H$N%"%I%l%9$HCV$-49$($i$l$k%"%I%l%9$O!"(BIP$BHV9f(B/$B%M%C%H%^%9%/$NAH$+$i(B
+$BA*$P$l$^$9!#$9$Y$F(B 1 $B$N%M%C%H%^%9%/$O!"%[%9%HL>$,@5$7$$$3$H$rI=$7$^$9!#(B
+1 $B$,(B 31 $B8D$+$i$J$k%M%C%H%^%9%/(B (255.255.255.254) $B$O!"%V%m!<%I%-%c%9%H(B
+$B%"%I%l%9$H%M%C%H%o!<%/%"%I%l%9$r<h$C$?$"$H$G%[%9%H(B IP $BHV9f$r3d$jEv$F$k(B
+$BM>M5$,$J$$$?$a!"@5$7$/$J$$$H8+$J$5$l$^$9!#(B
+.PP
+TCP $B%Q%1%C%H$H(B UDP $B%Q%1%C%H$N:F%^%C%W$N:]$K$O!"%=!<%9%]!<%HHV9f$NJQ99(B
+$B$b2DG=$G$9!#(BTCP, UDP $B%Q%1%C%H$H$b$I$b!"$=$l$>$l$N5,B'$GA*Br$,2DG=$G$9!#(B
+$B$3$l$i$O!"5,B'$N$&$7$m$K:F%^%C%W@h$N%]!<%HHV9f$NHO0O$r!"(B
+\fBport-number:port-number\fP $B$N7A<0$G;XDj$7$^$9!#(B
+.SH $B%3%^%s%I(B
+.\" There are found commands recognised by IP Filter's NAT code:
+.\" $B$3$NItJ,!"(BThere are four commands ... $B$N4V0c$$$G$O$J$$$+$H(B send-pr $B:Q$_(B
+.\" (2000-1-19, by kuma)
+IP $B%U%#%k%?$N(B NAT $B%3!<%I$,G'<1$9$k%3%^%s%I$,$"$j$^$9(B:
 .TP
 .B map
-that is used for mapping one address or network to another in an unregulated
-round robin fashion;
+$B%"%I%l%9$b$7$/$O%M%C%H%o!<%/$R$H$D$r!"E}@)$J$7$N%i%&%s%I%m%S%sK!$G(B
+$BB>$N%"%I%l%9$K<LA|$9$k$H$-$KMQ$$$^$9!#(B
 .TP
 .B rdr
-that is used for redirecting packets to one IP address and port pair to
-another;
+$B$"$k(B IP $B%"%I%l%9$H%]!<%H$NAH$+$iJL$NAH$K!"%Q%1%C%H$r%j%@%$%l%/%H$9$k(B
+$B$H$-$KMQ$$$^$9!#(B
 .TP
 .B bimap
-for setting up bidirectional NAT between an external IP address and an internal
-IP address and
+$B30It(B IP $B%"%I%l%9$HFbIt(B IP $B%"%I%l%9$H$N4V$GAPJ}8~(B NAT $B$r@_Dj$9$k$H$-$K(B
+$BMQ$$$^$9!#(B
 .TP
 .B map-block
-which sets up static IP address based translation, based on a algorithm to
-squeeze the addresses to be translated into the destination range.
-.SH MATCHING
-.PP
-For basic NAT and redirection of packets, the address subject to change is used
-along with its protocol to check if a packet should be altered.  In the case
-of redirects, it is also possible to select packets on a source address basis
-using the \fBfrom\fP keyword, as well as the manditory destination port.  The
-packet \fImatching\fP part of the rule is to the left of the "->" in each rule.
-.SH TRANSLATION
-.PP
-To the right of the "->" is the address and port specificaton which will be
-written into the packet providing it has already successful matched the
-prior constraints.  The case of redirections (\fBrdr\fP) is the simpliest:
-the new destination address is that specified in the rule.  For \fBmap\fP
-rules, the destination address will be one for which the tuple combining
-the new source and destination is known to be unique.  If the packet is
-either a TCP or UDP packet, the destination and source ports come into the
-equation too.  If the tuple already exists, IP Filter will increment the
-port number first, within the available range specified with \fBportmap\fP
-and if there exists no unique tuple, the source address will be incremented
-within the specified netmask.  If a unique tuple cannot be determined, then
-the packet will not be translated.  The \fBmap-block\fP is more limited in
-how it searches for a new, free and unique tuple, in that it will used an
-algorithm to determine what the new source address should be, along with the
-range of available ports - the IP address is never changed and nor does the
-port number ever exceed its alloted range.
-.SH KERNEL PROXIES
-.PP
-IP Filter comes with a few, simple, proxies built into the code that is loaded
-into the kernel to allow secondary channels to be opened without forcing the
-packets through a user program.
-.SH TRNSPARENT PROXIES
-.PP
-True transparent proxying should be performed using the redirect (\fBrdr\fP)
-rules directing ports to localhost (127.0.0.1) with the proxy program doing
-a lookup through \fB/dev/ipnat\fP to determine the real source and address
-of the connection.
-.SH EXAMPLES
-.PP
-This section deals with the \fBmap\fP command and it's variations.
-.PP
-To change IP#'s used internally from network 10 into an ISP provided 8 bit
-subnet at 209.1.2.0 through the ppp0 interface, the following would be used:
+IP $B%"%I%l%9$K4p$E$/@EE*$JJQ49$r@_Dj$7$^$9!#%"%I%l%9$r9J$j9~$_!"L\E*$NHO0O$K(B
+$B<}$^$k$h$&$KJQ49$9$k%"%k%4%j%:%`$K4p$E$/$b$N$G$9!#(B
+.SH $B>H9g=hM}(B
+.PP
+$B4pK\E*$J(B NAT $B5!G=$H%Q%1%C%H$N%j%@%$%l%/%H$K$*$$$F$O!"%W%m%H%3%k$H$H$b$K(B
+$BJQ992DG=@-$N$"$k%"%I%l%9$rMQ$$$F!"$"$k%Q%1%C%H$rJQ99$;$M$P$J$i$J$$$+(B
+$B$I$&$+$r%A%'%C%/$7$^$9!#%j%@%$%l%/%H$K$D$$$F$O!"%-!<%o!<%I(B \fBfrom\fP
+$B$rMQ$$$F!"%=!<%9%"%I%l%9$K4p$E$/%Q%1%C%HA*Br$r9T$J$&$3$H$b$G$-$^$9!#(B
+$B$=$l$>$l$N5,B'$N(B "->" $B$N:8JU$O!"$=$N5,B'$N%Q%1%C%H(B \fI$B>H9g=hM}(B\fP
+$BItJ,$G$9!#(B
+.SH $BJQ49=hM}(B
+.PP
+"->" $B$N1&JU$O!"$=$l0JA0$N@)Ls>r7o$H$N>H9g$,4{$K@.8y$7$F$$$k>l9g$K!"$=$N(B
+$B%Q%1%C%H$K=q$-9~$^$l$k%"%I%l%9$H%]!<%H$r;XDj$9$kItJ,$G$9!#%j%@%$%l%/%H$N(B
+$B>l9g(B (\fBrdr\fP) $B$,:G$bC1=c$G$9!#?7$7$$%G%9%F%#%M!<%7%g%s%"%I%l%9$r(B
+$B$=$NCf$G;XDj$7$^$9!#(B
+\fBmap\fP $B5,B'$KBP$7$F$O!"%G%9%F%#%M!<%7%g%s%"%I%l%9$O!"?7$7$$%"%I%l%9(B
+$B$NAH(B ($B%=!<%9$H%G%9%F%#%M!<%7%g%s(B) $B$,0l0UE*$G$"$k$HCN$i$l$F$$$k%"%I%l%9(B
+$B$K$J$j$^$9!#%Q%1%C%H$,(B TCP $B$+(B UDP $B%Q%1%C%H$N>l9g!"%G%9%F%#%M!<%7%g%s(B
+$B%]!<%H$H%=!<%9%]!<%H$b$3$NEy<0$K4^$a$^$9!#(B
+$B%"%I%l%9$NAH$,4{$KB8:_$9$k>l9g!"(BIP $B%U%#%k%?$O!"$^$:(B \fBportmap\fP $B$G(B
+$B;XDj$7$?M-8zHO0OFb$G%]!<%HHV9f$r(B 1 $B$DA}$d$7$^$9!#$=$&$7$F$b0l0UE*$J(B
+$B%"%I%l%9$NAH$,F@$i$l$J$$>l9g!";XDj$5$l$?%M%C%H%^%9%/$NHO0OFb$G(B
+$B%=!<%9%"%I%l%9$r(B 1 $B$DA}$d$7$^$9!#0l0UE*$J%"%I%l%9$NAH$,7h$7$FF@$i$l$J$$(B
+$B>l9g!"%Q%1%C%H$OJQ49$5$l$^$;$s!#(B\fBmap-block\fP $B$G$O!"?75,%"%I%l%9$NAH!"(B
+$B%U%j!<$J%"%I%l%9$NAH!"0l0UE*$J%"%I%l%9$NAH$r8!:w$9$k$d$j$+$?$,$h$j8BDj(B
+$B$5$l$^$9!#$3$3$G$O!"%]!<%H$NM-8zHO0O$K2C$($F!"?7$7$$%=!<%9%"%I%l%9$r(B
+$B2?$K$9$k$+$r7hDj$9$k%"%k%4%j%:%`$r;HMQ$7$^$9!#(BIP $B%"%I%l%9$O7h$7$F(B
+$BJQ99$5$l$^$;$s$7!"%]!<%HHV9f$b3d$jEv$F$i$l$?HO0O$r1[$($k$b$N$O(B
+$BJQ99$5$l$^$;$s!#(B
+.SH $B%+!<%M%k%W%m%-%7(B
+.PP
+IP $B%U%#%k%?$K$O!"%+!<%M%k$K%m!<%I$5$l$k%3!<%I$NCf$KAH$_9~$^$l$?C1=c$J(B
+$B%W%m%-%7$,$$$/$D$+IU$$$F$-$^$9!#$3$l$K$h$j!"%Q%1%C%H$r%f!<%6%W%m%0%i%`$r(B
+$BDL$5$;$:$K(B 2 $BHVL\$N%A%c%M%k$r3+$1$F$*$/$3$H$,2DG=$H$J$j$^$9!#(B
+.SH $BF)2a7?%W%m%-%7(B
+.PP
+$B??$NF)2a7?%W%m%-%7=hM}(B (transparent proxying) $B$O!"<B:]$NH/?.85$H(B
+$B%3%M%/%7%g%s$N%"%I%l%9$r7hDj$9$k$?$a!"(B\fB/dev/ipnat\fP $B7PM3$G8!:w$r(B
+$B9T$J$&%W%m%-%7%W%m%0%i%`$rMQ$$$F!"(Blocalhost (127.0.0.1) $B$N%]!<%H$K(B
+$BBP1~IU$1$k%j%@%$%l%/%H(B (\fBrdr\fP) $B5,B'$rMQ$$$F9T$J$&I,MW$,$"$j$^$9!#(B
+.SH $B;HMQNc(B
+.PP
+$BK\%;%/%7%g%s$G$O!"(B\fBmap\fP $B%3%^%s%I$H$=$NJQ7A$r07$$$^$9!#(B
+.PP
+ppp0 $B%$%s%?%U%'!<%97PM3$G!"FbIt$G;HMQ$9$k(B IP $BHV9f$,%M%C%H%o!<%/(B 10 $B$N(B
+$B%Q%1%C%H$r!"(BISP ($B%$%s%?!<%M%C%H%5!<%S%9%W%m%P%$%@(B) $B$,Ds6!$7$F$/$l$?(B 
+209.1.2.0 (8 $B%S%C%H%5%V%M%C%H(B) $B$KJQ99$9$k>l9g!"0J2<$N5,B'$r;H$$$^$9!#(B
 .LP
 .nf
 map ppp0 10.0.0.0/8 -> 209.1.2.0/24
 .fi
 .PP
-The obvious problem here is we're trying to squeeze over 16,000,000 IP
-addresses into a 254 address space.  To increase the scope, remapping for TCP
-and/or UDP, port remapping can be used;
+$B$3$3$G!"(B16,000,000 $B8D0J>e$N(B IP $B%"%I%l%9$r(B 254 $B8D$K9J$j9~$b$&$H$9$k$3$H(B
+$B$,LdBj$J$N$OL@$i$+$G$7$g$&!#%9%3!<%W$r9-$2$k$?$a$K!"(BTCP $B$H(B UDP $B$K$D$$$F$O(B
+$B%]!<%H:F%^%C%W$r;H$&$3$H$b$G$-$^$9!#(B
 .LP
 .nf
 map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
 .fi
 .PP
-which falls only 527,566 `addresses' short of the space available in network
-10.  If we were to combine these rules, they would need to be specified as
-follows:
+$B$3$l$G!"%M%C%H%o!<%/(B 10 $B$GMxMQ2DG=$J6u4V$N$&$A!"ITB-J,$O(B ``$B%"%I%l%9(B''
+527,566 $B8DJ,$@$1$K$J$j$^$9!#$3$l$i$N5,B'$r7k9g$5$;$k$H$9$k$H!"0J2<$N$h(B
+$B$&$J;XDj$,I,MW$H$J$j$^$9!#(B
 .LP
 .nf
 map ppp0 10.0.0.0/8 -> 209.1.2.0/24 portmap tcp/udp 1025:65000
 map ppp0 10.0.0.0/8 -> 209.1.2.0/24
 .fi
 .PP
-so that all TCP/UDP packets were port mapped and only other protocols, such as
-ICMP, only have their IP# changed.  In some instaces, it is more appropriate
-to use the keyword \fBauto\fP in place of an actual range of port numbers if
-you want to guarantee simultaneous access to all within the given range.
-However, in the above case, it would default to 1 port per IP address, since
-we need to squeeze 24 bits of address space into 8.  A good example of how
-this is used might be:
-.LP
-.nf
-map ppp0 172.192.0.0/16 -> 209.1.2.0/24 portmap tcp/udp auto
-.fi
-.PP
-which would result in each IP address being given a small range of ports to
-use (252).  The problem here is that the \fBmap\fP directive tells the NAT
-code to use the next address/port pair available for an outgoing connection,
-resulting in no easily discernable relation between external addresses/ports
-and internal ones.  This is overcome by using \fBmap-block\fP as follows:
-.LP
-.nf
-map-block ppp0 172.192.0.0/16 -> 209.1.2.0/24 ports auto
-.fi
-.PP
-For example, this would result in 172.192.0.0/24 being mapped to 209.1.2.0/32
-with each address, from 172.192.0.0 to 172.192.0.255 having 252 ports of its
-own.  As opposed to the above use of \fBmap\fP, if for some reason the user
-of (say) 172.192.0.2 wanted 260 simultaneous connections going out, they would
-be limited to 252 with \fBmap-block\fP but would just \fImove on\fP to the next
-IP address with the \fBmap\fP command.
+$B$3$l$G!"(BTCP/UDP $B%Q%1%C%H$N$9$Y$F$O%]!<%H%^%C%W$,9T$J$o$l!"(BIP $B%"%I%l%9(B
+$B$N$_$,JQ99$5$l$k$N$O(B ICMP $B$J$IB>$N%W%m%H%3%k$@$1$H$J$j$^$9!#(B
+.SH $B4XO"%U%!%$%k(B
 /dev/ipnat
 .br
 /etc/services
 .br
 /etc/hosts
-.SH SEE ALSO
+.SH $B4XO"9`L\(B
 ipnat(4), hosts(5), ipf(5), services(5), ipf(8), ipnat(8)
