Make things clearer.

Submitted (some time ago) by: Ted Mittelstaedt <tedm@portsoft.com>

sbin/natd/samples/natd.cf.sample

@@ -1,26 +1,33 @@
 #
+# $Id:$
+#
+#
 # Configuration file for natd.
 #
 #
-# Logging to /var/log
+# Enable logging to file /var/log/alias.log
 #
 log		no
 #
-# Incoming connections.
+# Incoming connections.  Should NEVER be set to "yes" if redirect_port,
+# redirect_address, or permanent_link statements are activated in this file!
+#
+# Setting to yes provides additional anti-crack protection
 #
 deny_incoming	no
 #
-# Use sockets to avoid port clashes.
+# Use sockets to avoid port clashes.  Uses additional system resources, but
+# guarantees successful connections when port numbers conflict
 #
 use_sockets	no
 #
-# Avoid port changes if possible. Makes rlogin work
-# in most cases.
+# Avoid port changes if possible when altering outbound packets. Makes rlogin
+# work in most cases.
 #
 same_port	yes
 #
 # Verbose mode. Enables dumping of packets and disables
-# forking to background.
+# forking to background.  Only set to yes for debugging.
 #
 verbose		no
 #
@@ -31,10 +38,13 @@ port		32000
 # Interface name or address being aliased. Either one,
 # not both is required.
 #
+# Obtain interface name from the command output of "ifconfig -a"
+#
 # alias_address	192.168.0.1
 interface	ep0
 #
-# Alias unregistered addresses or all addresses.
+# Alias unregistered addresses or all addresses.  Set this to yes if
+# the inside network is all RFC1918 addresses. 
 #
 unregistered_only	no
 #
@@ -43,10 +53,42 @@ unregistered_only	no
 # natd is up - this is usually not the case. So either use
 # numeric addresses or hosts that are in /etc/hosts.
 #
+# Note:  Current versions of FreeBSD all call /etc/rc.firewall
+# BEFORE running named, so if the DNS server and NAT are on the same 
+# machine, the nameserver won't be up if natd is called from /etc/rc.firewall
+#
 # Map connections coming to port 30000 to telnet in my_private_host.
 # Remember to allow the connection /etc/rc.firewall also.
+#
+#  The following permanent_link and redirect_port statements are equivalent
 #permanent_link		tcp my_private_host:telnet 0.0.0.0:0 30000
+#redirect_port		tcp my_private_host:telnet 30000
 #
 # Map connections coming from host.xyz.com to port 30001 to 
 # telnet in another_host.
 #permanent_link		tcp another_host:telnet host.xyz.com:0 30001
+#
+# Static NAT address mapping:
+#
+#  ipconfig must apply any legal IP numbers that inside hosts
+# will be known by to the outside interface.  These are sometimes known as
+# virtual IP numbers.  It's suggested to use the "interface" directive
+# instead of the "alias_address" directive to make it more clear what is
+# going on. (although both will work)
+#
+# DNS in this situation can get hairy.  For example, an inside host
+# named aweb.company.com is located at 192.168.1.56, and needs to be 
+# accessible through a legal IP number like 198.105.232.1.  If both
+# 192.168.1.56 and 198.105.232.1 are set up as address records in the DNS
+# for aweb.company.com, then external hosts attempting to access
+# aweb.company.com may use address 192.168.1.56 which is inaccessible to them.
+#
+# The obvious solution is to use only a single address for the name, the
+# outside address.  However, this creates needless traffic through the
+# NAT, because inside hosts will go through the NAT to get to the legal
+# number, even when the inside number is on the same subnet as they are!
+#
+# It's probably not a good idea to use DNS names in redirect_address statements
+#
+#The following mapping points outside address 198.105.232.1 to 192.168.1.56
+#redirect_address  192.168.1.56		198.105.232.1

usr.sbin/natd/samples/natd.cf.sample

@@ -1,26 +1,33 @@
 #
+# $Id:$
+#
+#
 # Configuration file for natd.
 #
 #
-# Logging to /var/log
+# Enable logging to file /var/log/alias.log
 #
 log		no
 #
-# Incoming connections.
+# Incoming connections.  Should NEVER be set to "yes" if redirect_port,
+# redirect_address, or permanent_link statements are activated in this file!
+#
+# Setting to yes provides additional anti-crack protection
 #
 deny_incoming	no
 #
-# Use sockets to avoid port clashes.
+# Use sockets to avoid port clashes.  Uses additional system resources, but
+# guarantees successful connections when port numbers conflict
 #
 use_sockets	no
 #
-# Avoid port changes if possible. Makes rlogin work
-# in most cases.
+# Avoid port changes if possible when altering outbound packets. Makes rlogin
+# work in most cases.
 #
 same_port	yes
 #
 # Verbose mode. Enables dumping of packets and disables
-# forking to background.
+# forking to background.  Only set to yes for debugging.
 #
 verbose		no
 #
@@ -31,10 +38,13 @@ port		32000
 # Interface name or address being aliased. Either one,
 # not both is required.
 #
+# Obtain interface name from the command output of "ifconfig -a"
+#
 # alias_address	192.168.0.1
 interface	ep0
 #
-# Alias unregistered addresses or all addresses.
+# Alias unregistered addresses or all addresses.  Set this to yes if
+# the inside network is all RFC1918 addresses. 
 #
 unregistered_only	no
 #
@@ -43,10 +53,42 @@ unregistered_only	no
 # natd is up - this is usually not the case. So either use
 # numeric addresses or hosts that are in /etc/hosts.
 #
+# Note:  Current versions of FreeBSD all call /etc/rc.firewall
+# BEFORE running named, so if the DNS server and NAT are on the same 
+# machine, the nameserver won't be up if natd is called from /etc/rc.firewall
+#
 # Map connections coming to port 30000 to telnet in my_private_host.
 # Remember to allow the connection /etc/rc.firewall also.
+#
+#  The following permanent_link and redirect_port statements are equivalent
 #permanent_link		tcp my_private_host:telnet 0.0.0.0:0 30000
+#redirect_port		tcp my_private_host:telnet 30000
 #
 # Map connections coming from host.xyz.com to port 30001 to 
 # telnet in another_host.
 #permanent_link		tcp another_host:telnet host.xyz.com:0 30001
+#
+# Static NAT address mapping:
+#
+#  ipconfig must apply any legal IP numbers that inside hosts
+# will be known by to the outside interface.  These are sometimes known as
+# virtual IP numbers.  It's suggested to use the "interface" directive
+# instead of the "alias_address" directive to make it more clear what is
+# going on. (although both will work)
+#
+# DNS in this situation can get hairy.  For example, an inside host
+# named aweb.company.com is located at 192.168.1.56, and needs to be 
+# accessible through a legal IP number like 198.105.232.1.  If both
+# 192.168.1.56 and 198.105.232.1 are set up as address records in the DNS
+# for aweb.company.com, then external hosts attempting to access
+# aweb.company.com may use address 192.168.1.56 which is inaccessible to them.
+#
+# The obvious solution is to use only a single address for the name, the
+# outside address.  However, this creates needless traffic through the
+# NAT, because inside hosts will go through the NAT to get to the legal
+# number, even when the inside number is on the same subnet as they are!
+#
+# It's probably not a good idea to use DNS names in redirect_address statements
+#
+#The following mapping points outside address 198.105.232.1 to 192.168.1.56
+#redirect_address  192.168.1.56		198.105.232.1