From owner-freebsd-stable  Thu Jun 15 23:26:11 2000
Delivered-To: freebsd-stable@freebsd.org
Received: from resnet.uoregon.edu (resnet.uoregon.edu [128.223.144.32])
	by hub.freebsd.org (Postfix) with ESMTP id C1D6B37BD00
	for <stable@FreeBSD.ORG>; Thu, 15 Jun 2000 23:26:07 -0700 (PDT)
	(envelope-from dwhite@resnet.uoregon.edu)
Received: from localhost (dwhite@localhost)
	by resnet.uoregon.edu (8.10.1/8.10.1) with ESMTP id e5G6Q5k09355;
	Thu, 15 Jun 2000 23:26:05 -0700 (PDT)
Date: Thu, 15 Jun 2000 23:26:05 -0700 (PDT)
From: Doug White <dwhite@resnet.uoregon.edu>
To: Sean-Paul Rees <sean@seanrees.com>
Cc: stable@FreeBSD.ORG
Subject: Re: Advanced Router
In-Reply-To: <20000614145219.A88415@seanrees.com>
Message-ID: <Pine.BSF.4.21.0006152320500.12294-100000@resnet.uoregon.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, 14 Jun 2000, Sean-Paul Rees wrote:

> We want to put our media labs on private address space to conserve our
> routable address space. We also want a small firewall to filter out
> some of the garbage that goes through, and to block certain services
> from untrusted sources.
> 
> What I want to do is sit the FreeBSD box in the middle, so-to-speak.
> 
>                    [T1 - CRL]
>                        |
>                 [FreeBSD Router]
>         ___________|      |___________
>         |                            |
>   [ Our Servers ]             [ Media Labs NAT ] 
>    (x.x.x.x/24)                (192.168.0.0/24)

In this case I'd push the NAT to cover all the systems and extend the
private address space to cover everything.  Then use redirect_port and/or
redirect_address in the natd configuration to pipe through the services
from the servers to the outside world.  This buys you an implicit firewall
for your servers (==good). The QTS server will probably require
redirect_address so you may want to craft some firewall rules to protect
it individually.

This gets around the sticky broadcast problems you need for conventional
AppleShare (you really should use AppleShareIP, it's faster and much more
stable).

Also pick up a good extensible switch, like a HP ProCurve 4000M, and plug
everything into it.  80 ports for $1000 with rebate and is a fantastic
switch.

Do you have a T1/sync serial card that you're plugging the T1/CSU/DSU
through or do you have ie. a Cisco 2600 that's taking care of that?

Doug White                    |  FreeBSD: The Power to Serve
dwhite@resnet.uoregon.edu     |  www.FreeBSD.org



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message