Date: Wed, 9 Jul 1997 14:29:26 -0500 (EST) From: Kenneth Chiu <chiuk@cs.indiana.edu> To: freebsd-questions@freebsd.org, freebsd-ips@freebsd.org Subject: FreeBSD as a router/firewall in this poorly-configured network Message-ID: <Pine.BSF.3.95q.970709141859.4935A-100000@ganymede.bloomington.nsisw.com>
next in thread | raw e-mail | index | archive | help
I would like to use FreeBSD as a firewall between an "unsecure" physical network and a "secure" physical network. Unfortunately, there is no subnetting, and I can't change IP numbers for political reasons. Here is the configuration: | | T1 | | | ---------- | Cisco | | router | ---------- | 206.97.64.1 | | Hub ======================================= | 206.97.64.129 | 206.97.64.63 | 206.97.64.66 | | | | fxp0 | | ------------ web server mail server | FreeBSD | | firewall | ------------ | fxp1 | | 206.97.64.200 ===================== Internal network, all one physical net As I understand how routing works in FreeBSD, this configuration can work, because more specific routes are preferred. Will these commands create the correct routing table? route add default 206.97.64.1 -ifp fxp0 route add -interface 206.97.64.1 206.97.64.129 # route to router route add -interface 206.97.64.63 206.97.64.129 # route to web server route add -interface 206.97.64.66 206.97.64.129 # route to mail server route add -interface 206.97.64.0 206.97.64.200 # route to internal net Because both interfaces are on the same network, I assume I need to use -ifp or -interface, but I'm not sure I understand the distinction between the two. Hopefully, I will be able to configure the Cisco router to forward 206.97.64.0 packets to the firewall only if they are not to the web server or the mail server. If not, I was thinking that maybe having the firewall use Proxy ARP to fool the router into sending packets bound for the internal net to the firewall might work.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.970709141859.4935A-100000>