From owner-freebsd-net Mon Feb 5 10:40:13 2001 Delivered-To: freebsd-net@freebsd.org Received: from syncopation-03.iinet.net.au (syncopation-03.iinet.net.au [203.59.24.49]) by hub.freebsd.org (Postfix) with SMTP id 7513C37B401 for ; Mon, 5 Feb 2001 10:39:49 -0800 (PST) Received: (qmail 17784 invoked by uid 666); 5 Feb 2001 18:47:30 -0000 Received: from reggae-15-111.nv.iinet.net.au (HELO elischer.org) (203.59.74.111) by mail.m.iinet.net.au with SMTP; 5 Feb 2001 18:47:30 -0000 Message-ID: <3A7EE540.AA3A1AF0@elischer.org> Date: Mon, 05 Feb 2001 09:39:12 -0800 From: Julian Elischer X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en, hu MIME-Version: 1.0 To: Rich Wales Cc: freebsd-net@freebsd.org, freebsd-stable@freebsd.org Subject: Re: netgraph router? (was Re: BRIDGE breaks ARP?) References: <20010205172708.36311.richw@wyattearp.stanford.edu> Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Rich Wales wrote: > > Julian Elischer wrote: > > > > > try using netgraph bridging instead. > > and I replied: > > > > Can't do this until the netgraph code supports ipfirewall > > > or ipfilter. > > to which Julian replied: > > > why can't you use routing? (ipfw only REALLY works with IP > > packets anyhow..) OR you can do what some people do which > > is make a netgraph 'router' where appletalk and other NON-IP > > packets are bridged and IP packets are routed. > > Could you explain this in more detail -- possibly directing me to > an example? some people run a bridge between two ethernet segments, but give them different IP netranges, thas IP goes via the IP code and routes while other protocols 'see' each other directly and go through the bridge. THe clients are told to go vi the router (bsd machine) so they do.. I don't see how this would help in your situation though. > > My requirements are: > > ==> I need to protect my main desktop machine behind a firewall > (which is why I'm running IPFIREWALL on my bridge). > > ==> My main desktop machine needs to have its own, "public" IP > address (my work requires me to use some Kerberized security > services that won't survive NAT-munging through a router). > > ==> I have DSL with multiple static IP addresses at home (work > perk), but my static block of addresses isn't big enough > for me to be able to split it further into mini-subnets for > routing purposes, which is why I want to run a bridge rather > than a conventional router. > > ==> I don't need my firewall to pass any kind of non-IP packets, > other than ARP. so how does bridging help? this is what I'd do.. real | nat addresses | addresses | --internet--[firewall]------------[workstation+NAT]---------[othermachines] | | In fact it is possible you could run both the 10.x.x.x. net and the 'real' net on the same interface/cable and use the firewall to NAT them as well (just assign two addresses to the interface). (I'd have to look at the rules that are installed for NATD but I'm sure you could work something out. > Rich Wales richw@webcom.com http://www.webcom.com/richw/ -- __--_|\ Julian Elischer / \ julian@elischer.org ( OZ ) World tour 2000-2001 ---> X_.---._/ v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message