[apple/network_cmds.git] / natd.tproj / natd.8

.\" manual page [] for natd 1.4
.\"	$Id: natd.8,v 1.1.1.1 2000/01/11 01:48:51 wsanchez Exp $
.Dd 15 April 1997
.Os FreeBSD
.Dt NATD 8
.Sh NAME
.Nm natd
.Nd
Network Address Translation Daemon
.Sh SYNOPSIS
.Nm
.Op Fl ldsmvu
.Op Fl dynamic
.Op Fl i Ar inport
.Op Fl o Ar outport
.Op Fl p Ar port
.Op Fl a Ar address
.Op Fl n Ar interface
.Op Fl f Ar configfile

.Nm
.Op Fl log
.Op Fl deny_incoming
.Op Fl log_denied
.Op Fl use_sockets
.Op Fl same_ports
.Op Fl verbose
.Op Fl log_facility Ar facility_name
.Op Fl unregistered_only
.Op Fl dynamic
.Op Fl inport Ar inport
.Op Fl outport Ar outport
.Op Fl port Ar port
.Op Fl alias_address Ar address
.Op Fl interface Ar interface
.Op Fl config Ar configfile
.Op Fl redirect_port Ar linkspec
.Op Fl redirect_address Ar localIP publicIP
.Op Fl reverse
.Op Fl proxy_only
.Op Fl proxy_rule Ar proxyspec
.Op Fl pptpalias Ar localIP

.Sh DESCRIPTION
This program provides a Network Address Translation facility for use
with
.Xr divert 4
sockets under FreeBSD.  It is intended for use with NICs - if you want
to do NAT on a PPP link, use the -alias switch to
.Xr ppp 8 .

.Pp
.Nm Natd
normally runs in the background as a daemon.  It is passed raw IP packets
as they travel into and out of the machine, and will possibly change these
before re-injecting them back into the IP packet stream.

.Pp
.Nm Natd
changes all packets destined for another host so that their source
IP number is that of the current machine.  For each packet changed
in this manner, an internal table entry is created to record this
fact.  The source port number is also changed to indicate the
table entry applying to the packet.  Packets that are received with
a target IP of the current host are checked against this internal
table.  If an entry is found, it is used to determine the correct
target IP number and port to place in the packet.

.Pp
The following command line options are available.
.Bl -tag -width Fl

.It Fl log | l
Log various aliasing statistics and information to the file
.Pa /var/log/alias.log .
This file is truncated each time natd is started.

.It Fl deny_incoming | d
Reject packets destined for the current IP number that have no entry
in the internal translation table.

.It Fl log_denied
Log denied incoming packets via syslog (see also log_facility)

.It Fl log_facility Ar facility_name
Use specified log facility when logging information via syslog.
Facility names are as in
.Xr syslog.conf 5

.It Fl use_sockets | s
Allocate a
.Xr socket 2
in order to establish an FTP data or IRC DCC send connection.  This
option uses more system resources, but guarantees successful connections
when port numbers conflict.

.It Fl same_ports | m
Try to keep the same port number when altering outgoing packets.
With this option, protocols such as RPC will have a better chance
of working.  If it is not possible to maintain the port number, it
will be silently changed as per normal.

.It Fl verbose | v
Don't call
.Xr fork 2
or
.Xr daemon 3
on startup.  Instead, stay attached to the controling terminal and
display all packet alterations to the standard output.  This option
should only be used for debugging purposes.

.It Fl unregistered_only | u
Only alter outgoing packets with an unregistered source address.
According to rfc 1918, unregistered source addresses are 10.0.0.0/8,
172.16.0.0/12 and 192.168.0.0/16.

.It Fl redirect_port Ar proto targetIP:targetPORT [aliasIP:]aliasPORT [remoteIP[:remotePORT]]
Redirect incoming connections arriving to given port to another host and port.
Proto is either tcp or udp, targetIP is the desired target IP
number, targetPORT is the desired target PORT number, aliasPORT
is the requested PORT number and aliasIP is the aliasing address.
RemoteIP and remotePORT can be used to specify the connection
more accurately if necessary.
For example, the argument

.Ar tcp inside1:telnet 6666

means that tcp packets destined for port 6666 on this machine will
be sent to the telnet port on the inside1 machine.

.It Fl redirect_address Ar localIP publicIP
Redirect traffic for public IP address to a machine on the local
network. This function is known as "static NAT". Normally static NAT
is useful if your ISP has allocated a small block of IP addresses to you,
but it can even be used in the case of single address:

  redirect_address 10.0.0.8 0.0.0.0

The above command would redirect all incoming traffic
to machine 10.0.0.8.

If several address aliases specify the same public address
as follows

  redirect_address 192.168.0.2 public_addr
  redirect_address 192.168.0.3 public_addr
  redirect_address 192.168.0.4 public_addr
  
the incoming traffic will be directed to the last
translated local address (192.168.0.4), but outgoing
traffic to the first two addresses will still be aliased
to specified public address.

.It Fl dynamic
If the
.Fl n
or
.Fl interface
option is used,
.Nm
will monitor the routing socket for alterations to the
.Ar interface
passed.  If the interfaces IP number is changed,
.Nm
will dynamically alter its concept of the alias address.

.It Fl i | inport Ar inport
Read from and write to
.Ar inport ,
treating all packets as packets coming into the machine.

.It Fl o | outport Ar outport
Read from and write to
.Ar outport ,
treating all packets as packets going out of the machine.

.It Fl p | port Ar port
Read from and write to
.Ar port ,
distinguishing packets as incoming our outgoing using the rules specified in
.Xr divert 4 .
If
.Ar port
is not numeric, it is searched for in the
.Pa /etc/services
database using the
.Xr getservbyname 3
function.  If this flag is not specified, the divert port named natd will
be used as a default.  An example entry in the
.Pa /etc/services
database would be:

  natd   8668/divert  # Network Address Translation socket

Refer to
.Xr services 5
for further details.

.It Fl a | alias_address Ar address
Use
.Ar address
as the alias address.  If this option is not specified, the
.Fl n
or
.Fl interface
option must be used.  The specified address should be the address assigned
to the public network interface.
.Pp
All data passing out through this addresses interface will be rewritten
with a source address equal to
.Ar address .
All data arriving at the interface from outside will be checked to
see if it matches any already-aliased outgoing connection.  If it does,
the packet is altered accordingly.  If not, all
.Fl redirect_port
and
.Fl redirect_address
assignments are checked and actioned.  If no other action can be made,
and if
.Fl deny_incoming
is not specified, the packet is delivered to the local machine and port
as specified in the packet.

.It Fl n | interface Ar interface
Use
.Ar interface
to determine the alias address.  If there is a possibility that the
IP number associated with
.Ar interface
may change, the
.Fl dynamic
flag should also be used.  If this option is not specified, the
.Fl a
or
.Fl alias_address
flag must be used.
.Pp
The specified
.Ar interface
must be the public network interface.
.It Fl f | config Ar configfile
Read configuration from
.Ar configfile .
.Ar Configfile
contains a list of options, one per line in the same form as the
long form of the above command line flags.  For example, the line

  alias_address 158.152.17.1

would specify an alias address of 158.152.17.1.  Options that don't
take an argument are specified with an option of
.Ar yes
or
.Ar no
in the configuration file.  For example, the line

  log yes

is synonomous with
.Fl log .
Empty lines and lines beginning with '#' are ignored.

.It Fl reverse
Reverse operation of natd. This can be useful in some 
transparent proxying situations when outgoing traffic
is redirected to the local machine and natd is running on the
incoming interface (it usually runs on the outgoing interface).

.It Fl proxy_only
Force natd to perform transparent proxying
only. Normal address translation is not performed.

.It Fl proxy_rule Ar [type encode_ip_hdr|encode_tcp_stream] port xxxx server a.b.c.d:yyyy
Enable transparent proxying. Packets with the given port going through this
host to any other host are redirected to the given server and port.
Optionally, the original target address can be encoded into the packet. Use 
.Dq encode_ip_hdr
to put this information into the IP option field or
.Dq encode_tcp_stream
to inject the data into the beginning of the TCP stream.

.It Fl pptpalias Ar localIP
Allow PPTP packets to go to the defined localIP address. PPTP is a VPN or secure
IP tunneling technology being developed primarily by Microsoft. For its encrypted traffic,
it uses an old IP encapsulation protocol called GRE (47). This
natd option will translate any traffic of this protocol to a
single, specified IP address. This would allow either one client or one server 
to be serviced with natd. If you are setting up a server, don't forget to allow the TCP traffic
for the PPTP setup. For a client or server, you must allow GRE (protocol 47) if you have firewall lists active.

.El

.Sh RUNNING NATD
The following steps are necessary before attempting to run
.Nm natd :

.Bl -enum
.It
Get FreeBSD version 2.2 or higher.  Versions before this do not support
.Xr divert 4
sockets.

.It
Build a custom kernel with the following options:

  options IPFIREWALL
  options IPDIVERT

Refer to the handbook for detailed instructions on building a custom
kernel.

.It
Ensure that your machine is acting as a gateway.  This can be done by
specifying the line

  gateway_enable=YES

in
.Pa /etc/rc.conf ,
or using the command

  sysctl -w net.inet.ip.forwarding=1

.It
If you wish to use the
.Fl n
or
.Fl interface
flags, make sure that your interface is already configured.  If, for
example, you wish to specify tun0 as your
.Ar interface ,
and you're using
.Xr ppp 8
on that interface, you must make sure that you start
.Nm ppp
prior to starting
.Nm natd .

.It
Create an entry in
.Pa /etc/services :

  natd          8668/divert  # Network Address Translation socket

This gives a default for the
.Fl p
or
.Fl port
flag.

.El
.Pp
Running
.Nm
is fairly straight forward.  The line

  natd -interface ed0

should suffice in most cases (substituting the correct interface name).  Once
.Nm
is running, you must ensure that traffic is diverted to natd:

.Bl -enum
.It
You will need to adjust the
.Pa /etc/rc.firewall
script to taste.  If you're not interested in having a firewall, the
following lines will do:

  /sbin/ipfw -f flush
  /sbin/ipfw add divert natd all from any to any via ed0
  /sbin/ipfw add pass all from any to any

The second line depends on your interface (change ed0 as appropriate)
and assumes that you've updated
.Pa /etc/services
with the natd entry as above.  If you specify real firewall rules, it's
best to specify line 2 at the start of the script so that
.Nm
sees all packets before they are dropped by the firewall.  The firewall
rules will be run again on each packet after translation by
.Nm natd ,
minus any divert rules.

.It
Enable your firewall by setting

  firewall_enable=YES

in
.Pa /etc/rc.conf .
This tells the system startup scripts to run the
.Pa /etc/rc.firewall
script.  If you don't wish to reboot now, just run this by hand from the
console.  NEVER run this from a virtual session unless you put it into
the background.  If you do, you'll lock yourself out after the flush
takes place, and execution of
.Pa /etc/rc.firewall
will stop at this point - blocking all accesses permanently.  Running
the script in the background should be enough to prevent this disaster.

.El

.Sh SEE ALSO
.Xr getservbyname 2 ,
.Xr socket 2 ,
.Xr divert 4 ,
.Xr services 5 ,
.Xr ipfw 8

.Sh AUTHORS
This program is the result of the efforts of many people at different
times:

.An Archie Cobbs Aq archie@whistle.com
(divert sockets)
.An Charles Mott Aq cmott@srv.net
(packet aliasing)
.An Eivind Eklund Aq perhaps@yes.no
(IRC support & misc additions)
.An Ari Suutari Aq suutari@iki.fi
(natd)
.An Dru Nelson Aq dnelson@redwoodsoft.com
(PPTP support)
.An Brian Somers Aq brian@awfulhak.org
(glue)
Commit	Line	Data
b7080c8e A	1	.\" manual page [] for natd 1.4
	2	.\" $Id: natd.8,v 1.1.1.1 2000/01/11 01:48:51 wsanchez Exp $
	3	.Dd 15 April 1997
	4	.Os FreeBSD
	5	.Dt NATD 8
	6	.Sh NAME
	7	.Nm natd
	8	.Nd
	9	Network Address Translation Daemon
	10	.Sh SYNOPSIS
	11	.Nm
	12	.Op Fl ldsmvu
	13	.Op Fl dynamic
	14	.Op Fl i Ar inport
	15	.Op Fl o Ar outport
	16	.Op Fl p Ar port
	17	.Op Fl a Ar address
	18	.Op Fl n Ar interface
	19	.Op Fl f Ar configfile
	20
	21	.Nm
	22	.Op Fl log
	23	.Op Fl deny_incoming
	24	.Op Fl log_denied
	25	.Op Fl use_sockets
	26	.Op Fl same_ports
	27	.Op Fl verbose
	28	.Op Fl log_facility Ar facility_name
	29	.Op Fl unregistered_only
	30	.Op Fl dynamic
	31	.Op Fl inport Ar inport
	32	.Op Fl outport Ar outport
	33	.Op Fl port Ar port
	34	.Op Fl alias_address Ar address
	35	.Op Fl interface Ar interface
	36	.Op Fl config Ar configfile
	37	.Op Fl redirect_port Ar linkspec
	38	.Op Fl redirect_address Ar localIP publicIP
	39	.Op Fl reverse
	40	.Op Fl proxy_only
	41	.Op Fl proxy_rule Ar proxyspec
	42	.Op Fl pptpalias Ar localIP
	43
	44	.Sh DESCRIPTION
	45	This program provides a Network Address Translation facility for use
	46	with
	47	.Xr divert 4
	48	sockets under FreeBSD. It is intended for use with NICs - if you want
	49	to do NAT on a PPP link, use the -alias switch to
	50	.Xr ppp 8 .
	51
	52	.Pp
	53	.Nm Natd
	54	normally runs in the background as a daemon. It is passed raw IP packets
	55	as they travel into and out of the machine, and will possibly change these
	56	before re-injecting them back into the IP packet stream.
	57
	58	.Pp
	59	.Nm Natd
	60	changes all packets destined for another host so that their source
	61	IP number is that of the current machine. For each packet changed
	62	in this manner, an internal table entry is created to record this
	63	fact. The source port number is also changed to indicate the
	64	table entry applying to the packet. Packets that are received with
65	a target IP of the current host are checked against this internal
66	table. If an entry is found, it is used to determine the correct
67	target IP number and port to place in the packet.
68
69	.Pp
70	The following command line options are available.
71	.Bl -tag -width Fl
72
73	.It Fl log \| l
74	Log various aliasing statistics and information to the file
75	.Pa /var/log/alias.log .
76	This file is truncated each time natd is started.
77
78	.It Fl deny_incoming \| d
79	Reject packets destined for the current IP number that have no entry
80	in the internal translation table.
81
82	.It Fl log_denied
83	Log denied incoming packets via syslog (see also log_facility)
84
85	.It Fl log_facility Ar facility_name
86	Use specified log facility when logging information via syslog.
87	Facility names are as in
88	.Xr syslog.conf 5
89
90	.It Fl use_sockets \| s
91	Allocate a
92	.Xr socket 2
93	in order to establish an FTP data or IRC DCC send connection. This
94	option uses more system resources, but guarantees successful connections
95	when port numbers conflict.
96
97	.It Fl same_ports \| m
98	Try to keep the same port number when altering outgoing packets.
99	With this option, protocols such as RPC will have a better chance
100	of working. If it is not possible to maintain the port number, it
101	will be silently changed as per normal.
102
103	.It Fl verbose \| v
104	Don't call
105	.Xr fork 2
106	or
107	.Xr daemon 3
108	on startup. Instead, stay attached to the controling terminal and
109	display all packet alterations to the standard output. This option
110	should only be used for debugging purposes.
111
112	.It Fl unregistered_only \| u
113	Only alter outgoing packets with an unregistered source address.
114	According to rfc 1918, unregistered source addresses are 10.0.0.0/8,
115	172.16.0.0/12 and 192.168.0.0/16.
116
117	.It Fl redirect_port Ar proto targetIP:targetPORT [aliasIP:]aliasPORT [remoteIP[:remotePORT]]
118	Redirect incoming connections arriving to given port to another host and port.
119	Proto is either tcp or udp, targetIP is the desired target IP
120	number, targetPORT is the desired target PORT number, aliasPORT
121	is the requested PORT number and aliasIP is the aliasing address.
122	RemoteIP and remotePORT can be used to specify the connection
123	more accurately if necessary.
124	For example, the argument
125
126	.Ar tcp inside1:telnet 6666
127
128	means that tcp packets destined for port 6666 on this machine will
129	be sent to the telnet port on the inside1 machine.
130
131	.It Fl redirect_address Ar localIP publicIP
132	Redirect traffic for public IP address to a machine on the local
133	network. This function is known as "static NAT". Normally static NAT
134	is useful if your ISP has allocated a small block of IP addresses to you,
135	but it can even be used in the case of single address:
136
137	redirect_address 10.0.0.8 0.0.0.0
138
139	The above command would redirect all incoming traffic
140	to machine 10.0.0.8.
141
142	If several address aliases specify the same public address
143	as follows
144
145	redirect_address 192.168.0.2 public_addr
146	redirect_address 192.168.0.3 public_addr
147	redirect_address 192.168.0.4 public_addr
148
149	the incoming traffic will be directed to the last
150	translated local address (192.168.0.4), but outgoing
151	traffic to the first two addresses will still be aliased
152	to specified public address.
153
154	.It Fl dynamic
155	If the
156	.Fl n
157	or
158	.Fl interface
159	option is used,
160	.Nm
161	will monitor the routing socket for alterations to the
162	.Ar interface
163	passed. If the interfaces IP number is changed,
164	.Nm
165	will dynamically alter its concept of the alias address.
166
167	.It Fl i \| inport Ar inport
168	Read from and write to
169	.Ar inport ,
170	treating all packets as packets coming into the machine.
171
172	.It Fl o \| outport Ar outport
173	Read from and write to
174	.Ar outport ,
175	treating all packets as packets going out of the machine.
176
177	.It Fl p \| port Ar port
178	Read from and write to
179	.Ar port ,
180	distinguishing packets as incoming our outgoing using the rules specified in
181	.Xr divert 4 .
182	If
183	.Ar port
184	is not numeric, it is searched for in the
185	.Pa /etc/services
186	database using the
187	.Xr getservbyname 3
188	function. If this flag is not specified, the divert port named natd will
189	be used as a default. An example entry in the
190	.Pa /etc/services
191	database would be:
192
193	natd 8668/divert # Network Address Translation socket
194
195	Refer to
196	.Xr services 5
197	for further details.
198
199	.It Fl a \| alias_address Ar address
200	Use
201	.Ar address
202	as the alias address. If this option is not specified, the
203	.Fl n
204	or
205	.Fl interface
206	option must be used. The specified address should be the address assigned
207	to the public network interface.
208	.Pp
209	All data passing out through this addresses interface will be rewritten
210	with a source address equal to
211	.Ar address .
212	All data arriving at the interface from outside will be checked to
213	see if it matches any already-aliased outgoing connection. If it does,
214	the packet is altered accordingly. If not, all
215	.Fl redirect_port
216	and
217	.Fl redirect_address
218	assignments are checked and actioned. If no other action can be made,
219	and if
220	.Fl deny_incoming
221	is not specified, the packet is delivered to the local machine and port
222	as specified in the packet.
223
224	.It Fl n \| interface Ar interface
225	Use
226	.Ar interface
227	to determine the alias address. If there is a possibility that the
228	IP number associated with
229	.Ar interface
230	may change, the
231	.Fl dynamic
232	flag should also be used. If this option is not specified, the
233	.Fl a
234	or
235	.Fl alias_address
236	flag must be used.
237	.Pp
238	The specified
239	.Ar interface
240	must be the public network interface.
241	.It Fl f \| config Ar configfile
242	Read configuration from
243	.Ar configfile .
244	.Ar Configfile
245	contains a list of options, one per line in the same form as the
246	long form of the above command line flags. For example, the line
247
248	alias_address 158.152.17.1
249
250	would specify an alias address of 158.152.17.1. Options that don't
251	take an argument are specified with an option of
252	.Ar yes
253	or
254	.Ar no
255	in the configuration file. For example, the line
256
257	log yes
258
259	is synonomous with
260	.Fl log .
261	Empty lines and lines beginning with '#' are ignored.
262
263	.It Fl reverse
264	Reverse operation of natd. This can be useful in some
265	transparent proxying situations when outgoing traffic
266	is redirected to the local machine and natd is running on the
267	incoming interface (it usually runs on the outgoing interface).
268
269	.It Fl proxy_only
270	Force natd to perform transparent proxying
271	only. Normal address translation is not performed.
272
273	.It Fl proxy_rule Ar [type encode_ip_hdr\|encode_tcp_stream] port xxxx server a.b.c.d:yyyy
274	Enable transparent proxying. Packets with the given port going through this
275	host to any other host are redirected to the given server and port.
276	Optionally, the original target address can be encoded into the packet. Use
277	.Dq encode_ip_hdr
278	to put this information into the IP option field or
279	.Dq encode_tcp_stream
280	to inject the data into the beginning of the TCP stream.
281
282	.It Fl pptpalias Ar localIP
283	Allow PPTP packets to go to the defined localIP address. PPTP is a VPN or secure
284	IP tunneling technology being developed primarily by Microsoft. For its encrypted traffic,
285	it uses an old IP encapsulation protocol called GRE (47). This
286	natd option will translate any traffic of this protocol to a
287	single, specified IP address. This would allow either one client or one server
288	to be serviced with natd. If you are setting up a server, don't forget to allow the TCP traffic
289	for the PPTP setup. For a client or server, you must allow GRE (protocol 47) if you have firewall lists active.
290
291	.El
292
293	.Sh RUNNING NATD
294	The following steps are necessary before attempting to run
295	.Nm natd :
296
297	.Bl -enum
298	.It
299	Get FreeBSD version 2.2 or higher. Versions before this do not support
300	.Xr divert 4
301	sockets.
302
303	.It
304	Build a custom kernel with the following options:
305
306	options IPFIREWALL
307	options IPDIVERT
308
309	Refer to the handbook for detailed instructions on building a custom
310	kernel.
311
312	.It
313	Ensure that your machine is acting as a gateway. This can be done by
314	specifying the line
315
316	gateway_enable=YES
317
318	in
319	.Pa /etc/rc.conf ,
320	or using the command
321
322	sysctl -w net.inet.ip.forwarding=1
323
324	.It
325	If you wish to use the
326	.Fl n
327	or
328	.Fl interface
329	flags, make sure that your interface is already configured. If, for
330	example, you wish to specify tun0 as your
331	.Ar interface ,
332	and you're using
333	.Xr ppp 8
334	on that interface, you must make sure that you start
335	.Nm ppp
336	prior to starting
337	.Nm natd .
338
339	.It
340	Create an entry in
341	.Pa /etc/services :
342
343	natd 8668/divert # Network Address Translation socket
344
345	This gives a default for the
346	.Fl p
347	or
348	.Fl port
349	flag.
350
351	.El
352	.Pp
353	Running
354	.Nm
355	is fairly straight forward. The line
356
357	natd -interface ed0
358
359	should suffice in most cases (substituting the correct interface name). Once
360	.Nm
361	is running, you must ensure that traffic is diverted to natd:
362
363	.Bl -enum
364	.It
365	You will need to adjust the
366	.Pa /etc/rc.firewall
367	script to taste. If you're not interested in having a firewall, the
368	following lines will do:
369
370	/sbin/ipfw -f flush
371	/sbin/ipfw add divert natd all from any to any via ed0
372	/sbin/ipfw add pass all from any to any
373
374	The second line depends on your interface (change ed0 as appropriate)
375	and assumes that you've updated
376	.Pa /etc/services
377	with the natd entry as above. If you specify real firewall rules, it's
378	best to specify line 2 at the start of the script so that
379	.Nm
380	sees all packets before they are dropped by the firewall. The firewall
381	rules will be run again on each packet after translation by
382	.Nm natd ,
383	minus any divert rules.
384
385	.It
386	Enable your firewall by setting
387
388	firewall_enable=YES
389
390	in
391	.Pa /etc/rc.conf .
392	This tells the system startup scripts to run the
393	.Pa /etc/rc.firewall
394	script. If you don't wish to reboot now, just run this by hand from the
395	console. NEVER run this from a virtual session unless you put it into
396	the background. If you do, you'll lock yourself out after the flush
397	takes place, and execution of
398	.Pa /etc/rc.firewall
399	will stop at this point - blocking all accesses permanently. Running
400	the script in the background should be enough to prevent this disaster.
401
402	.El
403
404	.Sh SEE ALSO
405	.Xr getservbyname 2 ,
406	.Xr socket 2 ,
407	.Xr divert 4 ,
408	.Xr services 5 ,
409	.Xr ipfw 8
410
411	.Sh AUTHORS
412	This program is the result of the efforts of many people at different
413	times:
414
415	.An Archie Cobbs Aq archie@whistle.com
416	(divert sockets)
417	.An Charles Mott Aq cmott@srv.net
418	(packet aliasing)
419	.An Eivind Eklund Aq perhaps@yes.no
420	(IRC support & misc additions)
421	.An Ari Suutari Aq suutari@iki.fi
422	(natd)
423	.An Dru Nelson Aq dnelson@redwoodsoft.com
424	(PPTP support)
425	.An Brian Somers Aq brian@awfulhak.org
426	(glue)