Date: Wed, 9 Jul 1997 14:29:26 -0500 (EST) From: Kenneth Chiu <chiuk@cs.indiana.edu> To: freebsd-questions@freebsd.org, freebsd-ips@freebsd.org Subject: FreeBSD as a router/firewall in this poorly-configured network Message-ID: <Pine.BSF.3.95q.970709141859.4935A-100000@ganymede.bloomington.nsisw.com>
next in thread | raw e-mail | index | archive | help
I would like to use FreeBSD as a firewall between an "unsecure" physical
network and a "secure" physical network. Unfortunately, there is no
subnetting, and I can't change IP numbers for political reasons.
Here is the configuration:
|
|
T1 |
|
|
----------
| Cisco |
| router |
----------
| 206.97.64.1
|
| Hub
=======================================
| 206.97.64.129 | 206.97.64.63 | 206.97.64.66
| | |
| fxp0 | |
------------ web server mail server
| FreeBSD |
| firewall |
------------
| fxp1
|
| 206.97.64.200
===================== Internal network, all one physical net
As I understand how routing works in FreeBSD, this configuration
can work, because more specific routes are preferred. Will these
commands create the correct routing table?
route add default 206.97.64.1 -ifp fxp0
route add -interface 206.97.64.1 206.97.64.129 # route to router
route add -interface 206.97.64.63 206.97.64.129 # route to web server
route add -interface 206.97.64.66 206.97.64.129 # route to mail server
route add -interface 206.97.64.0 206.97.64.200 # route to internal net
Because both interfaces are on the same network, I assume I need to
use -ifp or -interface, but I'm not sure I understand the distinction
between the two.
Hopefully, I will be able to configure the Cisco router to forward
206.97.64.0 packets to the firewall only if they are not to the
web server or the mail server. If not, I was thinking that maybe
having the firewall use Proxy ARP to fool the router into sending
packets bound for the internal net to the firewall might work.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.970709141859.4935A-100000>