At minimum, Minewt requires three IP addresses to be specified:

-i internal_ip

The Internal IP address, which will be the gateway your internal hosts will set as their default gateway.

-I external_ip

The External IP address, which will be the IP address that the external world is prepared to communicate with.

-r default_gateway

The Default Gateway, which is the upstream router that will route your packets closer to their destination.

-d / -D device

Use this Layer 2 Device for internal / External traffic

-m / -M MAC

Force MAC address for internal pseudodevice / External pseudodevice. Minewt will, by default, use 00:AB:BA:5C:AB:BA for internal, and 00:01:56:78:9A:BC for external. This is to demonstrate the ease of which the minewt process can be suspended and restarted without necessarily dropping the flows it was carrying. Several default MAC modes have been configured; see later section for details. -a / -A MAC Force MAC address when *ARPing* a given MAC/IP association. This is usually the same address as specified in -M, but not always.

-g / -G

Disable internal / External gratuitous ARP, i.e. announcing the MAC/IP pairing before anyone asks about it.

-R MAC

Force MAC address for default gateway.

-t timeout

Set timeout period for stateful connections. Defaults to six minutes. Only 1/10th of this value is set waiting for initial connections.

-v

Increase verbosity.

-l incoming_ip

Designate one IP address on your internal network to receive all incoming packets that do not correspond to a known entry in the state table. This is roughly analogous to Linksys's DMZ mode.

-s / -S

Embed NAT state in IP Timestamps. Instead of storing which host had which connection before the translation destroyed that information, embed it in the extra entropy extractable from the existing IP Timestamp option. Since IP timestamps are reflected back to the party that requested them, traffic that returns to minewt can be examined and routed correctly. This implementation is extremely weak, trivially hackable, and possibly insecure. It's here for demonstration purposes only. -s is a mode 3 timestamp, overloaded with new content. -S is a mode 4 timestamp, which doesn't actually exist -- and therefore behaves much more like we'd like it to.

-F

Enable fragment-spread IP Timestamps. This is a total hack -- IP fragments are the bane of any stateful analysis system, and Minewt is no exception. Now, IP options sometimes attach themselves to every fragment -- but IP timestamps isn't one of those options. It could be, though: One bit determines whether an IP Option is copied into every fragment; other bits determine the type. So, we just set the bit and see what happens.

[MAC] = R

Use a fully random MAC address, with the first byte set to 0 for compatibility: 00:??:??:??:??:??

[MAC] = B

Use the broadcast MAC address: (FF:FF:FF:FF:FF:FF)

[MAC] = M

Use a prespecified multicast address: (01:00:5E:11:22:33)

[MAC] = MR

Use a random multicast address: (01:00:5E:??:??:??)