Skip site navigation (1)Skip section navigation (2)

FreeBSD Man Pages

Man Page or Keyword Search:
Man Architecture
Apropos Keyword Search (all sections) Output format
home | help
NATD(8)                 FreeBSD System Manager's Manual                NATD(8)

     natd - Network Address Translation Daemon

     natd [-ldsmvu] [-permanent_link] [-dynamic] [-i inport] [-o outport]
          [-p port] [-a address] [-n interface] [-f configfile]

     natd [-log] [-deny_incoming] [-use_sockets] [-same_ports] [-verbose]
          [-unregistered_only] [-permanent_link] [-dynamic] [-inport inport]
          [-outport outport] [-port port] [-alias_address address]
          [-interface interface] [-config configfile]
          [-redirect_port linkspec] [-redirect_address localIP publicIP]

     This program provides a Network Address Translation facility for use with
     divert(4) sockets under FreeBSD.  Most of the command line options are
     available in a single character short form or in a long form.  Use of the
     long form is encouraged as it makes things clearer to the casual

     Natd normally runs in the background as a daemon.  It is passed raw IP
     packets as they travel into and out of the machine, and will possibly
     change these before re-injecting them back into the IP packet stream.

     Natd changes all packets destined for another host so that their source
     IP number is that of the current machine.  For each packet changed in
     this manner, an internal table entry is created to record this fact.  The
     source port number is also changed to indicate the table entry applying
     to the packet.  Packets that are received with a target IP of the current
     host are checked against this internal table.  If an entry is found, it
     is used to determine the correct target IP number and port to place in
     the packet.

     The following command line options are available.

     -log | -l   Log various aliasing statistics and information to the file
                 /var/log/alias.log.  This file is truncated each time natd is

     -deny_incoming | -d
                 Reject packets destined for the current IP number that have
                 no entry in the internal translation table.

     -use_sockets | -s
                 Allocate a socket(2) in order to establish an FTP data or IRC
                 DCC send connection.  This option uses more system resources,
                 but guarantees successful connections when port numbers

     -same_ports | -m
                 Try to keep the same port number when altering outgoing
                 packets.  With this option, protocols such as RPC will have a
                 better chance of working.  If it is not possible to maintain
                 the port number, it will be silently changed as per normal.

     -verbose | -v
                 Don't call fork(2) or daemon(3) on startup.  Instead, stay
                 attached to the controling terminal and display all packet
                 alterations to the standard output.  This option should only
                 be used for debugging purposes.

     -unregistered_only | -u
                 Only alter outgoing packets with an unregistered source
                 address.  According to rfc 1918, unregistered source
                 addresses are, and

     -redirect_port linkspec
                 Redirect incoming connections arriving to given port to
                 another host and port.  Linkspec is of the form

                   proto targetIP:targetPORT [aliasIP:]aliasPORT

                 where proto is either tcp or udp, targetIP is the desired
                 target IP number, targetPORT is the desired target PORT
                 number, aliasPORT is the requested PORT number and aliasIP is
                 the aliasing address.  RemoteIP and remotePORT can be used to
                 specify the connection more accurately if necessary.  For
                 example, the argument

                 tcp inside1:telnet 6666

                 means that tcp packets destined for port 6666 on this machine
                 will be sent to the telnet port on the inside1 machine.

     -redirect_address localIP publicIP
                 Redirect traffic for public IP address to a machine on the
                 local network. This function is known as "static NAT".
                 Normally static NAT is useful if your ISP has allocated a
                 small block of IP addresses to you, but it can even be used
                 in the case of single address:


                 The above command would redirect all incoming traffic to

                 If several address aliases specify the same public address as

                   redirect_address public_addr
                   redirect_address public_addr
                   redirect_address public_addr

                 the incoming traffic will be directed to the last translated
                 local address (, but outgoing traffic to the
                 first two addresses will still be aliased to specified public

     -permanent_link linkspec
                 Create a permanent entry in the internal alias table.
                 Linkspec is of the form

                   proto targetIP:targetPORT sourceIP:sourcePORT aliasPORT

                 where proto is either tcp or udp, targetIP is the desired
                 target IP number, targetPORT is the desired target PORT
                 number, sourceIP and sourcePORT match the incoming packet,
                 and aliasPORT is the requested PORT number.  Values of zero
                 are considered as wildcards.  For example, the argument

                 tcp inside1:telnet outside1:0 6666

                 means that tcp packets destined for port 6666 on this machine
                 from the outside1 machine (any port) will be sent to the
                 telnet port on the inside1 machine.

                 New installations are encouraged to use redirect_port

     -dynamic    If the -n or -interface option is used, natd will monitor the
                 routing socket for alterations to the interface passed.  If
                 the interfaces IP number is changed, natd will dynamically
                 alter its concept of the alias address.

     -i | -inport inport
                 Read from and write to inport, treating all packets as
                 packets coming into the machine.

     -o | -outport outport
                 Read from and write to outport, treating all packets as
                 packets going out of the machine.

     -p | -port port
                 Read from and write to port, distinguishing packets as
                 incoming our outgoing using the rules specified in divert(4).
                 If port is not numeric, it is searched for in the
                 /etc/services database using the getservbyname(3) function.
                 If this flag is not specified, the divert port named natd
                 will be used as a default.  An example entry in the
                 /etc/services database would be:

                   natd   8668/divert  # Network Address Translation socket

                 Refer to services(5) for further details.

     -a | -alias_address address
                 Use address as the alias address.  If this option is not
                 specified, the -n or -interface option must be used.  The
                 specified address should be the address assigned to the
                 public network interface.

                 All data passing out through this addresses interface will be
                 rewritten with a source address equal to address.  All data
                 arriving at the interface from outside will be checked to see
                 if it matches any already-aliased outgoing connection.  If it
                 does, the packet is altered accordingly.  If not, all
                 -redirect_port and -redirect_address assignments are checked
                 and actioned.  If no other action can be made, and if
                 -deny_incoming is not specified, the packet is delivered to
                 the local machine and port as specified in the packet.

     -n | -interface interface
                 Use interface to determine the alias address.  If there is a
                 possibility that the IP number associated with interface may
                 change, the -dynamic flag should also be used.  If this
                 option is not specified, the -a or -alias_address flag must
                 be used.

                 The specified interface must be the public network interface.

     -f | -config configfile
                 Read configuration from configfile.  Configfile contains a
                 list of options, one per line in the same form as the long
                 form of the above command line flags.  For example, the line


                 would specify an alias address of  Options that
                 don't take an argument are specified with an option of yes or
                 no in the configuration file.  For example, the line

                   log yes

                 is synonomous with -log.  Empty lines and lines beginning
                 with '#' are ignored.

     The following steps are necessary before attempting to run natd:

     1.   Get FreeBSD version 2.2 or higher.  Versions before this do not
          support divert(4) sockets.

     2.   Build a custom kernel with the following options:

            options IPFIREWALL
            options IPDIVERT

          Refer to the handbook for detailed instructions on building a custom

     3.   Ensure that your machine is acting as a gateway.  This can be done
          by specifying the line


          in /etc/rc.conf, or using the command

            sysctl -w net.inet.ip.forwarding=1

     4.   If you wish to use the -n or -interface flags, make sure that your
          interface is already configured.  If, for example, you wish to
          specify tun0 as your interface, and you're using ppp(8) on that
          interface, you must make sure that you start ppp prior to starting

     5.   Create an entry in /etc/services:

            natd          8668/divert  # Network Address Translation socket

          This gives a default for the -p or -port flag.

     Running natd is fairly straight forward.  The line

       natd -interface ed0

     should suffice in most cases (substituting the correct interface name).
     Once natd is running, you must ensure that traffic is diverted to natd:

     1.   You will need to adjust the /etc/rc.firewall script to taste.  If
          you're not interested in having a firewall, the following lines will

            /sbin/ipfw -f flush
            /sbin/ipfw add divert natd all from any to any via ed0
            /sbin/ipfw add pass all from any to any

          The second line depends on your interface (change ed0 as
          appropriate) and assumes that you've updated /etc/services with the
          natd entry as above.  If you specify real firewall rules, it's best
          to specify line 2 at the start of the script so that natd sees all
          packets before they are dropped by the firewall.  The firewall rules
          will be run again on each packet after translation by natd, minus
          any divert rules.

     2.   Enable your firewall by setting


          in /etc/rc.conf.  This tells the system startup scripts to run the
          /etc/rc.firewall script.  If you don't wish to reboot now, just run
          this by hand from the console.  NEVER run this from a virtual
          session unless you put it into the background.  If you do, you'll
          lock yourself out after the flush takes place, and execution of
          /etc/rc.firewall will stop at this point - blocking all accesses
          permanently.  Running the script in the background should be enough
          to prevent this disaster.

     getservbyname(2), socket(2), divert(4), services(5), ipfw(8)

     This program is the result of the efforts of many people at different

     Archie Cobbs <> (divert sockets)
     Charles Mott <> (packet aliasing)
     Eivind Eklund <> (IRC support & misc additions)
     Ari Suutari <> (natd)
     Brian Somers <> (glue)

FreeBSD                          15 April 1997                         FreeBSD


Want to link to this manual page? Use this URL:

home | help