From owner-freebsd-questions  Fri Aug 27 14:20:43 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from gatekeeper.ssi1.com (gatekeeper.ssi1.com [208.210.218.18])
	by hub.freebsd.org (Postfix) with ESMTP id AF95B1559E
	for <freebsd-questions@FreeBSD.ORG>; Fri, 27 Aug 1999 14:20:40 -0700 (PDT)
	(envelope-from zhackett@tus.ssi1.com)
Received: from hp427u.tus.ssi1.com (hp427u.tus.ssi1.com [146.252.25.27])
	by gatekeeper.ssi1.com (8.9.0/8.9.0) with ESMTP id OAA10521
	for <freebsd-questions@FreeBSD.ORG>; Fri, 27 Aug 1999 14:20:36 -0700 (PDT)
Received: from atlas.tus.ssi1.com (atlas.tus.ssi1.com [146.252.27.210]) by hp427u.tus.ssi1.com (8.6.12/8.6.12) with ESMTP id OAA23341 for <freebsd-questions@FreeBSD.ORG>; Fri, 27 Aug 1999 14:18:02 -0700
Received: from tu233.tus.ssi1.com (tu233.tus.ssi1.com [146.252.27.246]) by atlas.tus.ssi1.com (8.6.12/8.6.12) with ESMTP id OAA25639 for <freebsd-questions@FreeBSD.ORG>; Fri, 27 Aug 1999 14:20:33 -0700
Received: from tus.ssi1.com (localhost [127.0.0.1]) by tu233.tus.ssi1.com (8.6.12/8.6.12) with ESMTP id OAA10290 for <freebsd-questions@FreeBSD.ORG>; Fri, 27 Aug 1999 14:20:32 -0700
Message-ID: <37C7011F.CE378E71@tus.ssi1.com>
Date: Fri, 27 Aug 1999 14:20:32 -0700
From: Nathan Hackett <zhackett@tus.ssi1.com>
Organization: SSi
X-Mailer: Mozilla 4.61 [en] (X11; U; HP-UX B.10.20 9000/777)
X-Accept-Language: en
MIME-Version: 1.0
To: freebsd-questions@FreeBSD.ORG
Subject: Firewall protected name server?
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

I am trying to achieve the following network topology.  The man
page for route leads me to believe that this is possible using the -interface
option, but all attempts to make this work have failed. X.Y.Z represents
the public network subnet.  The only addresses on this subnet that
are available here are X.Y.Z.50, X.Y.Z.51, and X.Y.Z.52 (.52 not used in this
example).

        (The Internet)

             |

        World Router

          X.Y.Z.1
          (Cisco)

             |          |                       |          |
             +----------+----------+------------+----------+  Public
network
                                   |
                                  ed1
                               X.Y.Z.50

                                FreeBSD
                                Firewall

                               10.0.0.1
                                  vr0
                                   |
           +-----------+-----+-----+-----+-----+-----+-----+
Unregistered Private
           |           |     |     |     |     |     |     |  network
          ed1
        X.Y.Z.51

          NS1
        FreeBSD
        Name server



The trick is that the name server needs to be addressable from the
world, but protected behind the firewall also.  All other clients on the
Unregistered network are 10.0.0.x.  How do I setup the routing in the
firewall so that packets for X.Y.Z.51 go through vr0 and not ed1 like
the netmask for ed1 would imply?  What should the ifconfig and route
entries in the rc.conf files look like for both the firewall and the
name server?

Also, some more information about what the -interface option to the
route command really does would be nice.  It does not seem to work as
advertised in the man page and in all the research I have done through
the mailing list archives, the answer is always "fix the netmask", but
this does not help my understanding of the -interface option.

Thanks,

/Nathan



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message