diff --git a/etc/network.subr b/etc/network.subr
index 1e49f779f13c..e43b9d4ba049 100644
--- a/etc/network.subr
+++ b/etc/network.subr
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$Id$
+#	$Id: rc.network,v 1.21 1998/04/12 09:47:43 markm Exp $
 #	From: @(#)netstart	5.9 (Berkeley) 3/30/91
 
 # Note that almost all the user-configurable behavior is no longer in
@@ -265,6 +265,14 @@ network_pass3() {
     if [ "X${mrouted_enable}" = X"YES" ]; then
 	    echo -n ' mrouted'; mrouted ${mrouted_flags}
     fi
+
+    # Network Address Translation daemon
+    if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
+	    if [ -a "X${firewall_enable}" = X"YES" ]; then
+	            echo -n ' natd'; natd ${natd_flags} -n ${natd_interface}
+	    fi
+    fi
+
     echo '.'
     network_pass3_done=YES
 }
diff --git a/etc/rc.conf b/etc/rc.conf
index eb537f3a8507..a18aa3c6e8b7 100644
--- a/etc/rc.conf
+++ b/etc/rc.conf
@@ -6,7 +6,7 @@
 #
 # All arguments must be in double or single quotes.
 #
-#	$Id$
+#	$Id: rc.conf,v 1.44 1998/04/12 09:47:41 markm Exp $
 
 ##############################################################
 ### Important initial Boot-time options  #####################
@@ -31,6 +31,9 @@ nisdomainname="NO"		# Set to NIS domain if using NIS (or NO).
 firewall_enable="NO"		# Set to YES to enable firewall functionality
 firewall_type="UNKNOWN"		# Firewall type (see /etc/rc.firewall)
 firewall_quiet="NO"		# Set to YES to suppress rule display
+natd_enable="NO"                # Enable natd (if firewall_enable == YES).
+natd_interface="fxp0"           # Public interface to use with natd.
+natd_flags=""                   # Additional flags for natd.
 tcp_extensions="YES"		# Allow RFC1323 & RFC1644 extensions (or NO).
 network_interfaces="lo0"	# List of network interfaces (lo0 is loopback).
 ifconfig_lo0="inet 127.0.0.1"	# default loopback device configuration.
diff --git a/etc/rc.d/netoptions b/etc/rc.d/netoptions
index 1e49f779f13c..e43b9d4ba049 100644
--- a/etc/rc.d/netoptions
+++ b/etc/rc.d/netoptions
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$Id$
+#	$Id: rc.network,v 1.21 1998/04/12 09:47:43 markm Exp $
 #	From: @(#)netstart	5.9 (Berkeley) 3/30/91
 
 # Note that almost all the user-configurable behavior is no longer in
@@ -265,6 +265,14 @@ network_pass3() {
     if [ "X${mrouted_enable}" = X"YES" ]; then
 	    echo -n ' mrouted'; mrouted ${mrouted_flags}
     fi
+
+    # Network Address Translation daemon
+    if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
+	    if [ -a "X${firewall_enable}" = X"YES" ]; then
+	            echo -n ' natd'; natd ${natd_flags} -n ${natd_interface}
+	    fi
+    fi
+
     echo '.'
     network_pass3_done=YES
 }
diff --git a/etc/rc.d/network1 b/etc/rc.d/network1
index 1e49f779f13c..e43b9d4ba049 100644
--- a/etc/rc.d/network1
+++ b/etc/rc.d/network1
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$Id$
+#	$Id: rc.network,v 1.21 1998/04/12 09:47:43 markm Exp $
 #	From: @(#)netstart	5.9 (Berkeley) 3/30/91
 
 # Note that almost all the user-configurable behavior is no longer in
@@ -265,6 +265,14 @@ network_pass3() {
     if [ "X${mrouted_enable}" = X"YES" ]; then
 	    echo -n ' mrouted'; mrouted ${mrouted_flags}
     fi
+
+    # Network Address Translation daemon
+    if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
+	    if [ -a "X${firewall_enable}" = X"YES" ]; then
+	            echo -n ' natd'; natd ${natd_flags} -n ${natd_interface}
+	    fi
+    fi
+
     echo '.'
     network_pass3_done=YES
 }
diff --git a/etc/rc.d/network2 b/etc/rc.d/network2
index 1e49f779f13c..e43b9d4ba049 100644
--- a/etc/rc.d/network2
+++ b/etc/rc.d/network2
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$Id$
+#	$Id: rc.network,v 1.21 1998/04/12 09:47:43 markm Exp $
 #	From: @(#)netstart	5.9 (Berkeley) 3/30/91
 
 # Note that almost all the user-configurable behavior is no longer in
@@ -265,6 +265,14 @@ network_pass3() {
     if [ "X${mrouted_enable}" = X"YES" ]; then
 	    echo -n ' mrouted'; mrouted ${mrouted_flags}
     fi
+
+    # Network Address Translation daemon
+    if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
+	    if [ -a "X${firewall_enable}" = X"YES" ]; then
+	            echo -n ' natd'; natd ${natd_flags} -n ${natd_interface}
+	    fi
+    fi
+
     echo '.'
     network_pass3_done=YES
 }
diff --git a/etc/rc.d/network3 b/etc/rc.d/network3
index 1e49f779f13c..e43b9d4ba049 100644
--- a/etc/rc.d/network3
+++ b/etc/rc.d/network3
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$Id$
+#	$Id: rc.network,v 1.21 1998/04/12 09:47:43 markm Exp $
 #	From: @(#)netstart	5.9 (Berkeley) 3/30/91
 
 # Note that almost all the user-configurable behavior is no longer in
@@ -265,6 +265,14 @@ network_pass3() {
     if [ "X${mrouted_enable}" = X"YES" ]; then
 	    echo -n ' mrouted'; mrouted ${mrouted_flags}
     fi
+
+    # Network Address Translation daemon
+    if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
+	    if [ -a "X${firewall_enable}" = X"YES" ]; then
+	            echo -n ' natd'; natd ${natd_flags} -n ${natd_interface}
+	    fi
+    fi
+
     echo '.'
     network_pass3_done=YES
 }
diff --git a/etc/rc.d/routing b/etc/rc.d/routing
index 1e49f779f13c..e43b9d4ba049 100644
--- a/etc/rc.d/routing
+++ b/etc/rc.d/routing
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$Id$
+#	$Id: rc.network,v 1.21 1998/04/12 09:47:43 markm Exp $
 #	From: @(#)netstart	5.9 (Berkeley) 3/30/91
 
 # Note that almost all the user-configurable behavior is no longer in
@@ -265,6 +265,14 @@ network_pass3() {
     if [ "X${mrouted_enable}" = X"YES" ]; then
 	    echo -n ' mrouted'; mrouted ${mrouted_flags}
     fi
+
+    # Network Address Translation daemon
+    if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
+	    if [ -a "X${firewall_enable}" = X"YES" ]; then
+	            echo -n ' natd'; natd ${natd_flags} -n ${natd_interface}
+	    fi
+    fi
+
     echo '.'
     network_pass3_done=YES
 }
diff --git a/etc/rc.firewall b/etc/rc.firewall
index 444572f3a925..204f50c177f5 100644
--- a/etc/rc.firewall
+++ b/etc/rc.firewall
@@ -1,6 +1,6 @@
 ############
 # Setup system for firewall service.
-# $Id: rc.firewall,v 1.16 1998/02/10 01:45:47 adam Exp $
+# $Id: rc.firewall,v 1.17 1998/04/15 16:41:14 phk Exp $
 
 if [ -f /etc/rc.conf ]; then
 	. /etc/rc.conf
@@ -57,6 +57,15 @@ fi
 # Flush out the list before we begin.
 $fwcmd -f flush
 
+############
+# These rules are required for using natd.  All packets are passed to
+# natd before they encounter your remaining rules.  The firewall rules
+# will then be run again on each packet after translation by natd,
+# minus any divert rules (see natd(8)).
+if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
+        $fwcmd add divert natd all from any to any via ${natd_interface}
+fi
+
 ############
 # If you just configured ipfw in the kernel as a tool to solve network
 # problems or you just want to disallow some particular kinds of traffic
diff --git a/etc/rc.network b/etc/rc.network
index 1e49f779f13c..e43b9d4ba049 100644
--- a/etc/rc.network
+++ b/etc/rc.network
@@ -1,6 +1,6 @@
 #!/bin/sh -
 #
-#	$Id$
+#	$Id: rc.network,v 1.21 1998/04/12 09:47:43 markm Exp $
 #	From: @(#)netstart	5.9 (Berkeley) 3/30/91
 
 # Note that almost all the user-configurable behavior is no longer in
@@ -265,6 +265,14 @@ network_pass3() {
     if [ "X${mrouted_enable}" = X"YES" ]; then
 	    echo -n ' mrouted'; mrouted ${mrouted_flags}
     fi
+
+    # Network Address Translation daemon
+    if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
+	    if [ -a "X${firewall_enable}" = X"YES" ]; then
+	            echo -n ' natd'; natd ${natd_flags} -n ${natd_interface}
+	    fi
+    fi
+
     echo '.'
     network_pass3_done=YES
 }
diff --git a/etc/services b/etc/services
index a9be14924097..909ec2d259d7 100644
--- a/etc/services
+++ b/etc/services
@@ -9,7 +9,7 @@
 # Kerberos services are for Kerberos v4, and are unofficial.  Sites running
 # v5 should uncomment v5 entries and comment v4 entries.
 #
-#	$Id: services,v 1.44 1998/03/09 02:56:21 steve Exp $
+#	$Id: services,v 1.45 1998/03/17 02:09:49 jseger Exp $
 #	From: @(#)services	5.8 (Berkeley) 5/9/91
 #
 # WELL KNOWN PORT NUMBERS
@@ -1652,6 +1652,7 @@ ricardo-lm	6148/tcp   #Ricardo North America License Manager
 ricardo-lm	6148/udp   #Ricardo North America License Manager
 xdsxdm		6558/tcp	
 xdsxdm		6558/udp	
+natd		6668/divert # Network Address Translation
 acmsoda		6969/tcp
 acmsoda		6969/udp
 afs3-fileserver 7000/tcp   #file server itself
diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5
index 61bd866f2e44..8eacfcc07ff4 100644
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@@ -22,7 +22,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\"     $Id: rc.conf.5,v 1.15 1998/03/09 08:50:59 jkh Exp $
+.\"     $Id: rc.conf.5,v 1.16 1998/03/12 07:30:49 charnier Exp $
 .\"
 .Dd April 26, 1997
 .Dt RC.CONF 5
@@ -121,6 +121,28 @@ must be given.
 (bool) Set to 
 .Ar YES
 to disable the display of ipfw rules on the console during boot.
+.It Ar natd_enable
+(bool) Set to
+.Ar YES
+to enable natd.
+.Ar Firewall_enable
+must also be set to
+.Ar YES ,
+and
+.Xr divert 4
+sockets must be enabled in your kernel.
+.It Ar natd_interface
+This is the name of the public interface on which natd should run.  It
+is mandatory if
+.Ar natd_enable
+is set to
+.Ar YES .
+.It Ar natd_flags
+Additional natd flags should be placed here.  The
+.Fl n
+flag is automatically added with the above
+.Ar natd_interface
+as an argument.
 .It Ar tcp_extensions
 (bool) Set to
 .Ar YES