From owner-freebsd-questions@FreeBSD.ORG Sun Jun 27 19:54:53 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C6CC516A4CE for ; Sun, 27 Jun 2004 19:54:53 +0000 (GMT) Received: from out001.verizon.net (out001pub.verizon.net [206.46.170.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 60C5643D41 for ; Sun, 27 Jun 2004 19:54:53 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] ([68.161.84.3]) by out001.verizon.net (InterMail vM.5.01.06.06 201-253-122-130-106-20030910) with ESMTP id <20040627195452.QPLH1464.out001.verizon.net@[192.168.1.3]>; Sun, 27 Jun 2004 14:54:52 -0500 Message-ID: <40DF25F8.1050305@mac.com> Date: Sun, 27 Jun 2004 15:54:32 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040608 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Romain Kang References: <200406261600.i5QG07kG008437@kzsu.stanford.edu> In-Reply-To: <200406261600.i5QG07kG008437@kzsu.stanford.edu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out001.verizon.net from [68.161.84.3] at Sun, 27 Jun 2004 14:54:52 -0500 cc: freebsd-questions@freebsd.org Subject: Re: IP alias + NAT through a single NIC? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Jun 2004 19:54:53 -0000 Romain Kang wrote: > I have a single physical network with 2 disjoint address spaces in > it. Logical Net 1 is routable, while Logical Net 2 is in private > space intended to keep devices there safe from the outside. Now I > need to allow some Net 2 devices the capability to access the web, > and putting in a second physical net is impractical. > > Can a FreeBSD box with just one NIC on the physical net be used as > the router between the logical nets? Yes, although using one NIC compromises security a great deal compared with having two physical subnets seperated by a packet-filtering firewall. Set up an interface alias via ifconfig to go on the second network, enable ipforwarding and presumably NAT. > If so, could it be used to limit outside access from Net 2 by hardware address? All outside traffic is going to go through the machine used as a router and acquire it's hardware address. If you have another router on net 1, blocking packets from that MAC on all of the hosts on net 2 would be useful, but you'd have to do it for each client machine, not just on this FreeBSD box itself. > Or is there a proxy that would work for this configuration? Running a proxy server on the FreeBSD box is more secure than providing routing and NAT for the machines on net 2. squid works fine for this. -- -Chuck