From owner-freebsd-questions  Wed Jul  9 12:29:44 1997
Return-Path: <owner-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id MAA02774
          for questions-outgoing; Wed, 9 Jul 1997 12:29:44 -0700 (PDT)
Received: from ganymede.bloomington.nsisw.com (xyplex1-1-18.kiva.net [206.97.75.20])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id MAA02760;
          Wed, 9 Jul 1997 12:29:33 -0700 (PDT)
Received: from ken by ganymede.bloomington.nsisw.com with local (Exim 1.60 #1)
	id 0wm2QY-0001Hz-00; Wed, 9 Jul 1997 14:29:26 -0500
Date: Wed, 9 Jul 1997 14:29:26 -0500 (EST)
From: Kenneth Chiu <chiuk@cs.indiana.edu>
Reply-To: chiuk@cs.indiana.edu
To: freebsd-questions@freebsd.org, freebsd-ips@freebsd.org
Subject: FreeBSD as a router/firewall in this poorly-configured network
Message-ID: <Pine.BSF.3.95q.970709141859.4935A-100000@ganymede.bloomington.nsisw.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

I would like to use FreeBSD as a firewall between an "unsecure" physical
network and a "secure" physical network.  Unfortunately, there is no
subnetting, and I can't change IP numbers for political reasons.
Here is the configuration:


                                
                                   |
                                   |
                                T1 |
                                   |
                                   |
                               ----------
                               | Cisco  |
                               | router |
                               ----------
                                   | 206.97.64.1
                                   |
                                   |         Hub
                =======================================
                | 206.97.64.129      | 206.97.64.63   | 206.97.64.66
                |                    |                |
                | fxp0               |                |
           ------------          web server      mail server
           | FreeBSD  |
           | firewall |
           ------------
                | fxp1
                |
                | 206.97.64.200
            ===================== Internal network, all one physical net


As I understand how routing works in FreeBSD, this configuration
can work, because more specific routes are preferred.  Will these
commands create the correct routing table?

   route add default 206.97.64.1 -ifp fxp0
   route add -interface 206.97.64.1 206.97.64.129  # route to router
   route add -interface 206.97.64.63 206.97.64.129 # route to web server
   route add -interface 206.97.64.66 206.97.64.129 # route to mail server
   route add -interface 206.97.64.0 206.97.64.200  # route to internal net

Because both interfaces are on the same network, I assume I need to
use -ifp or -interface, but I'm not sure I understand the distinction
between the two.

Hopefully, I will be able to configure the Cisco router to forward
206.97.64.0 packets to the firewall only if they are not to the
web server or the mail server.  If not, I was thinking that maybe
having the firewall use Proxy ARP to fool the router into sending
packets bound for the internal net to the firewall might work.