Date: Thu, 19 Aug 1999 16:13:20 +0200 From: Stefano Riva <sriva@alice.it> To: "Langa Kentane" <evablunted@earthling.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: router and firewall question Message-ID: <3.0.5.32.19990819161320.009d73c0@relay.alice.it> In-Reply-To: <001401beea38$41c28d90$0a01a8c0@sunshine.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
At 13.34 19/08/99 +0200, you wrote: >I have a cisco 2511 connected to the internet thru s0. The ip adress of s0 >is set to unnumbered (eth0). Eth0's ip address is x.y.25.1 255.255.255.192. >My isp has assigned me 64 ip addresses. >I want to put up a freebsd firewall between the router and the rest of the >network. All hosts will be behind the firewall. >What should the ip address of the interfaces on the firewall machine be? And >how will this affect the rest of my network's ip addresses? As for software, there are mainly two choices: you may use the "original" ipfw + natd mechanism bundled with FreeBSD (take a look at /etc/rc.firewall) or Darren Reed's IP-Filter package, also bundled with FreeBSD 3.x. Start enabling gateway in your /etc/rc.conf: gateway_enable = "YES". I'd suggest IP-Filter, because IMO it's more powerful; take a look at http://cheops.anu.edu.au/~avalon/ip-filter.html. You would have to enable it in your kernel configuration file and recompile the kernel (look at /sys/i386/conf/LINT about enabling it and at www.freebsd.org about recompiling the kernel). Anyway, maybe ipfw + natd are more documented and you would easily find more people able to help you on this list (I tried both ipfw + natd and IP-Filter in the past, but currently I don't manage a firewall with FreeBSD, so I can't help you about details). It's up to you. First of all read the Handbook's intro to firewalls at http://www.freebsd.org/handbook/firewalls.html. You'll have to set up the "public" interface on your machine with a public IP, i.e. one assigned to you by your ISP. Then you have to choose if you want to use NAT (Network Address Translation) or not: with NAT you would use a private class of IP addresses for your private network (192.168.0.0/24 for example, if a C class is enough for you) and they would be translated into a pool of public addresses or into a single public address by your BSD box. I'd suggest using NAT for flexibility; for example changing ISP would be almost painless... You could also have much more than 64 private IPs with your 64 public addresses only. Example for your case: Cisco's eth0 x.y.25.1/26, BSD public interface x.y.25.2/26, BSD private interface 192.168.0.1/24, your machines from 192.168.0.2/24 to 192.168.0.254/24. If you're using UTP on your LAN, you may connect the Cisco router and the BSD box directly with a cross-over cable. Probably it sounds complicated... Well, it is, at least a little bit. ;-) --- Stefano Riva Software Engineer - Systems Administrator Informazioni Editoriali I.E. Srl Voice +39-02283151, Fax +39-0228315900 Email sriva@alice.it To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.19990819161320.009d73c0>