From owner-freebsd-questions  Thu Nov  1  2:47:57 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201])
	by hub.freebsd.org (Postfix) with ESMTP id 4007C37B405
	for <freebsd-questions@freebsd.org>; Thu,  1 Nov 2001 02:47:53 -0800 (PST)
Received: from sheldonh (helo=axl.seasidesoftware.co.za)
	by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1)
	id 15zFP6-000JZt-00
	for freebsd-questions@FreeBSD.org; Thu, 01 Nov 2001 12:48:56 +0200
From: Sheldon Hearn <sheldonh@starjuice.net>
To: freebsd-questions@FreeBSD.org
Subject: Routing for a management interface on a firewall
Date: Thu, 01 Nov 2001 12:48:56 +0200
Message-ID: <75260.1004611736@axl.seasidesoftware.co.za>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


Hi folks,

I'm building a FreeBSD 4.4-STABLE firewall with 3 interfaces.  I have
two questions.

The sketch below needs to be viewed in a fixed-width font:

<tt>
      Public interface (216.123.44.2/24)
      |
+-----|-----+
|           |
| Firewall: |
| ipfw/natd =-- Management interface (216.123.49.36)
|           |
|           |
+-----|-----+
      |
      Private interface (10.0.0.1/24)
</tt>

Every address on the private network has a corresponding address on
the public network.  This means that I only need natd for address
translation.  I don't need port mapping, and 216.123.44.2 itself doesn't
need to be mapped to a private address.

I have all my interface aliases set up on 216.123.44.2 and have my
natd translations between the 216.123.44.2/24 and 10.0.0.1/24 networks
configured.

1) Do I need skipto rules for 216.123.44.2 that prevent traffic to or
   from that specific IP address being diverted to natd?  Alternatively,
   should I map 10.0.0.1 to 216.123.44.2 with natd?

2) How do I set up routing so that traffic _from_ 216.123.44.2/24 leaves
   via the public interface and not via the management interface?  Right
   now, my defaultrouter is 216.123.49.33 so that sshd will work.

Thanks,
Sheldon.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message