From owner-freebsd-security  Mon Jan 29 22:46:51 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id B65F437B400
	for <freebsd-security@freebsd.org>; Mon, 29 Jan 2001 22:46:32 -0800 (PST)
Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Mon, 29 Jan 2001 22:44:11 -0800
Received: (from cjc@localhost)
	by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f0U6jsP02016;
	Mon, 29 Jan 2001 22:45:54 -0800 (PST)
	(envelope-from cjc)
Date: Mon, 29 Jan 2001 22:45:48 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: mharding@marketnews.com
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: My FreeBSD Firewall
Message-ID: <20010129224547.E91447@rfx-216-196-73-168.users.reflex>
Reply-To: cjclark@alum.mit.edu
References: <980823114.3a762c4a041fa@mail.marketnews.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <980823114.3a762c4a041fa@mail.marketnews.com>; from mharding@marketnews.com on Mon, Jan 29, 2001 at 09:51:54PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Jan 29, 2001 at 09:51:54PM -0500, mharding@marketnews.com wrote:
> Hello.  I am building a Firewall and have some questions about how to implement 
> it.  The basic firewall is a FreeBSD box running squid for transparent proxy, 
> IPFW for dummynet to rate limit syn's, and IPF as my main statefull packet 
> filter.  The problem I have is with putting this into production.  I have a T1 
> to the internet, the routers IP address is 172.16.1.1(well not really but it 
> works for the example) and all of the computers on the LAN are in the 172.16.1.0
> (once again..only for the example) network.  So here I get to the 
> question....is there any way to set the firewall with the same IP address as 
> the router to make the install fairly transparent to the users?  Could I set 
> the firewall up as 172.16.1.1 and use NAT to let it communicate with the router 
> for internet traffic?  How would I set up my routing tables?  Also if anyone 
> has any input as far as how I am building my firewall that would be very 
> appreciated.

Easy. Put a RFC1918 LAN in between the router and firewall,

                                                            {
 Router:192.168.100.1---192.168.100.2:Firewall:172.16.1.1---{ 172.16.1.0/xx
                                                            {

Just change the internal address of the router and add the route (in
route(8) syntax),

  route add net 172.16.1.0/xx 192.168.100.2

No need for NAT or anything wack like that.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message