From owner-freebsd-stable Sun Jan 30 15:11:57 2000 Delivered-To: freebsd-stable@freebsd.org Received: from workhorse.iMach.com (workhorse.iMach.com [206.127.77.89]) by hub.freebsd.org (Postfix) with ESMTP id 6EC1B14ED8 for ; Sun, 30 Jan 2000 15:11:54 -0800 (PST) (envelope-from forrestc@workhorse.iMach.com) Received: from localhost (forrestc@localhost) by workhorse.iMach.com (8.9.3/8.9.3) with ESMTP id QAA17314; Sun, 30 Jan 2000 16:05:41 -0700 (MST) Date: Sun, 30 Jan 2000 16:05:40 -0700 (MST) From: "Forrest W. Christian" To: William Woods Cc: Nate Williams , Coleman Kane , freebsd-stable@FreeBSD.ORG, Doug White Subject: Re: FW: DSL natd rules.... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, 30 Jan 2000, William Woods wrote: > OK, I am a bit confused here, I have herd that I CAN use NAT on the cisco to th > the gateway/firewall/router(FreeBSD box) and then I Can't use nat on cisco to > firewall if I am going to use natd on the FreeBSD box.... Let me see If I can straigten out your assumptions here. Let's first talk about the 675 and what It can do by itself. If that's all you need then why complicate the issue with natd? The 675 runs what is called CBOS. CBOS includes BOTH NAT and Filtering capabilities. Or, in other words, exactly what natd/ipfw does on FreeBSD. In a "normal" environment you would set the 675 to NAT mode and plug it directly into your internal network. You would probably also configure some security-related things like a password, etc. If you are paranoid, you can also set up additional filters. In addition, if you have a static outside IP you can also turn on what I call "static port/address translation", or in other words, re-route inbound traffic destined for a specific protocol/ip to the inside world. (I.E. all inbound mail traffic goes toward a mail server) Unfortunately, this doesn't appear to support a dynamic IP, although CBOS might be smarter than I'm giving it credit for. You can also turn on PPP bridging which basically takes the IP frames and stuffs them out on the ethernet. I can't vouch for how well this works. I can't see how this would work well at all in the dynamic IP world. Athough, if you really wanted to do natd/ipfw on the freebsd box and you had a static IP address this should work well. In essence, you (should) be able to assign your static IP to the outside interface of your FreeBSD box. Again, I can't vouch for this or to how well it works, and it seems likely to not work very well. Now, onto the FreeBSD box. If you really want to go through natd/ipfw (I don't believe there is any security benefits of doing so). Then, you should just be able to plug the FreeBSD box into the 675 and configure natd like normal. Everything should work just fine. However, if you have a static IP and you would like to say recieve inbound mail on port 25, you will need to set up the nat rules on BOTH the 675 and the FreeBSD box. In essense you become "double firewalled" and as such everything has to be checked by both. Unless you have a specific reason not to do so, I would just plug the 675 into your internal lan and be done with it. The only probable exception to that is if you have a static IP and would like to try and see if you can make the ppp bridging work. For your reference, the manuals for the 675 are at: http://www.cisco.com/univercd/cc/td/doc/product/dsl_prod/c600s/index.htm You will want to click on the "Cisco Broadband Operating System (CBOS)" link to get to the "real" configuration manual. - Forrest W. Christian (forrestc@imach.com) KD7EHZ ---------------------------------------------------------------------- iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com Solutions for your high-tech problems. (406)-442-6648 ---------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message