From owner-freebsd-questions  Thu Jun 28 18:11:49 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.hq.ny.otec.net (mx1.hq.ny.otec.net [209.3.117.8])
	by hub.freebsd.org (Postfix) with SMTP id 1908737B406
	for <freebsd-questions@freebsd.org>; Thu, 28 Jun 2001 18:11:46 -0700 (PDT)
	(envelope-from dkelley@otec.com)
Received: (qmail 16838 invoked by uid 8064); 29 Jun 2001 01:20:07 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 29 Jun 2001 01:20:07 -0000
Date: Thu, 28 Jun 2001 21:20:07 -0400 (EDT)
From: Daniel Kelley <dkelley@otec.com>
X-Sender: dkelley@mx1.hq.ny.otec.net
To: freebsd-questions@freebsd.org
Subject: routing ip addresses through a freebsd firewall
Message-ID: <Pine.BSF.4.20L2.0106282050190.12239-100000@mx1.hq.ny.otec.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


hi-

i'm trying to configure a 4-STABLE box to protect 5 ip addresses on a
class c network. the machine has 2 NICs; the external w/ a public ip and
the internal w/ a 10. address.  ideally, i'd like to nat the
public ips to 10. addresses.  i've been following a tutorial that gives a
decent setup for an IPFILTER firewall:
http://www.schlacter.dyndns.org/public

the actual packet filtering seems pretty straightforward; i'm having
problems with nat and routing.

problem 1: routing

i'm unclear on whether or not i need to run routed or gated in order to
forward the packets addressed to the 5 public ips into the firewall.  i've
seen a couple of things that suggest you can modify arp parameters in the
kernel (?), but i'm not sure if this is advisable or not.

problem 2: nat

i'd like to set up simple bi-directional nat and let the ipfilter rules
handle everything else.  i've tried the following ipnat rules:

bimap <outside_interface> aa.bb.cc.0/24 -> 10.1.1.0/24

i'm not sure if i need a bimap in the opposite direction (inside->outside)

adding a rule like this:

map <outside_interface> 10.1.1.0/24 -> 0/32

will take any traffic from the inside interface and send it out with
whatever address the external NIC has, but that's not what im looking for.

any help would be greatly appreciated. please cc me if you reply - i'm not
on the list.

thanks-

dan


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message