From owner-freebsd-isp  Thu Feb 12 06:31:27 1998
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA03786
          for freebsd-isp-outgoing; Thu, 12 Feb 1998 06:31:27 -0800 (PST)
          (envelope-from owner-freebsd-isp@FreeBSD.ORG)
Received: from federation.addy.com (federation.addy.com [207.239.68.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA03779
          for <freebsd-isp@freebsd.org>; Thu, 12 Feb 1998 06:31:24 -0800 (PST)
          (envelope-from fbsdlist@federation.addy.com)
Received: from localhost (fbsdlist@localhost) by federation.addy.com (8.8.5/8.6.12) with SMTP id JAA13653 for <freebsd-isp@freebsd.org>; Thu, 12 Feb 1998 09:31:20 -0500 (EST)
Date: Thu, 12 Feb 1998 09:31:19 -0500 (EST)
From: Cliff Addy <fbsdlist@federation.addy.com>
To: freebsd-isp@FreeBSD.ORG
Subject: Re: FreeBSD firewall questions
Message-ID: <Pine.BSF.3.95q.980212091106.11372A-100000@federation.addy.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Thanks for all the input, guys, it was *very* enlightening.  However, I
think I've come up with a *much* simpler answer that works because of the
way we're set up here.

The firewall machine is named odo, the router is wormhole, and my test
server is tribble. All I did (in the brief experiment I tried) was to tell
odo his default route is wormhole.  Then I changed tribble's default route
from wormhole to odo.  Now, running a traceroute to freebsd.org, I get 

 1  odo.addy.com (207.239.68.128)  0.556 ms  0.416 ms  0.411 ms
 2  wormhole.addy.com (207.239.68.1)  2.288 ms  2.161 ms  3.084 ms
 3  206.181.190.29 (206.181.190.29)  5.363 ms  3.590 ms  3.281 ms
 4  atl2-core2-h4-0.atlas.digex.net (165.117.52.1)  12.520 ms  49.487 ms
 .
 .

etc.  If I read this right, all outgoing traffic is now being routed
through odo and I can manipulate traffic with all my nifty tools.

Of course, the one drawback I can see is that all traffic is transmitted
on the ethernet segment twice, but I can live with that.

The only thing left would seem to be that I need to set wormhole to route
inbound traffic to odo, but I'm sure I can figure out how to do that.
Even if I can't, the real purpose of all this is to measure and meter
outbound traffic, anyway.

My one concern is: what if odo dies?  Can I set up the other FreeBSD
machines to "fallback" to wormhole if odo cannot be contacted?




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message