From owner-freebsd-security Thu May 9 8:41:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from prox.centtech.com (moat2.centtech.com [206.196.95.21]) by hub.freebsd.org (Postfix) with ESMTP id CD26A37B404 for ; Thu, 9 May 2002 08:41:02 -0700 (PDT) Received: from pen.centtech.com (pen.centtech.com [10.177.178.33]) by prox.centtech.com (8.11.6/8.11.6) with ESMTP id g49Ff1714824 for ; Thu, 9 May 2002 10:41:01 -0500 (CDT) Received: from centtech.com (proton.centtech.com [10.177.173.77]) by pen.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id g49Ff1P25477 for ; Thu, 9 May 2002 10:41:01 -0500 (CDT) Message-ID: <3CDA988D.34E2148C@centtech.com> Date: Thu, 09 May 2002 10:41:01 -0500 From: Eric Anderson Reply-To: anderson@centtech.com X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: ipnat and bimapping Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm setting up a NAT gateway/firewall. It has three interfaces on it (one to the big bad net, one to the protected net, and one to a DMZ kind of net). Basically, I'm currently using the first two ports (big bad net, and protected net), but I'd like to enable that third net, without stabbing myself and creating security holes, but allowing a single machine to be "wide open" behind the gateway. So, here's what my setup looks like: Internet | | [24.24.24.1/32] Nat/Gateway box [10.10.20.1, 10.10.10.1] /\ / \ / \ wide [protected net, 10.10.10.0/24] open box here [10.10.20.2/32] Would bimap'ing the 24.24.24.1/32 address to 10.10.20.2/32 work? Or would that screw up my nat'ing of the 10.10.10.0/24 net? I need all ports NOT nat'ed to 10.10.10.0/24 to go to 10.10.20.2/32. Am I asking for trouble on the protected net, or is this safe? Is bimap the right thing to use? How big is the gun that I am about to use to shoot myself in the foot? Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology You have my continuous partial attention ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message