From owner-freebsd-questions Sat Jan 26 22:20: 6 2002 Delivered-To: freebsd-questions@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 168AE37B417 for ; Sat, 26 Jan 2002 22:19:59 -0800 (PST) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id g0R6MwU06391; Sun, 27 Jan 2002 00:22:59 -0600 (CST) (envelope-from nick@rogness.net) Date: Sun, 27 Jan 2002 00:22:58 -0600 (CST) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Allen Landsidel Cc: Doug Reynolds , "freebsd-questions@FreeBSD.ORG" Subject: Re: multihomed routing woes.. In-Reply-To: <20020121223922.8AAE04844F@wastegate.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, 21 Jan 2002, Doug Reynolds wrote: > On Sun, 20 Jan 2002 21:15:30 -0500, Allen Landsidel wrote: > > >> > >> The real problem here is that you are running publics on your > >> inside. Why are you doing this and not using static nat for this? > > > > Why should I use nat if I'm paying for an IP block? The lan is not an > > intranet, it's a bunch of "real" servers out on the internet. You didn't understand me, sorry if I didn't explain in detail. You still use your Public address space, except you let nat on the firewall dish out address space via -redirect_address directives as explained by Mr. Reynolds below. > > someone will probably tell me that this is way out of line and maybe > twisted, and you'd probably need a killer firewall machine but hear > goes: > > 1) assign all your ip addresses (that you need) of your server bank LAN > to the nic card in your main firewall machine > 2) assign private addresses to everything > 2) run NATD and put redirect_address statements in a configuration > files for each one of your servers > 3) firewall out all the ports you don't want going to which ever > machine. i'd at least leave open a ssh port open on all the servers so > you can change the configuration. > > the only problem i see is that this must take up to much resources, and > defeat the purpose of having individual servers :) > This is not entirely a bad thing to do. I would not bind the addresses to the NIC. Instead I would route the IP block via the upstream router to the firewall. That way no address binding is needed and natd is still happy. Either way is still a legal play. The resouces used would be minimal if the traffic was reasonable. > or, dump all the ips and NATD everything. > > that only plus on having the above config would be you'd have seperate > ip address for each host, whereas you'd have to CNAME everything just > to NATd everything Nick Rogness - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message