From owner-freebsd-net@FreeBSD.ORG Tue Dec 23 08:23:28 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 218CD16A4CF for ; Tue, 23 Dec 2003 08:23:28 -0800 (PST) Received: from pit.databus.com (p70-227.acedsl.com [66.114.70.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id A281543D48 for ; Tue, 23 Dec 2003 08:23:26 -0800 (PST) (envelope-from barney@pit.databus.com) Received: from pit.databus.com (localhost.databus.com [127.0.0.1]) by pit.databus.com (8.12.9p2/8.12.9) with ESMTP id hBNGNNot044728; Tue, 23 Dec 2003 11:23:23 -0500 (EST) (envelope-from barney@pit.databus.com) Received: (from barney@localhost) by pit.databus.com (8.12.9p2/8.12.9/Submit) id hBNGNNtD044727; Tue, 23 Dec 2003 11:23:23 -0500 (EST) (envelope-from barney) Date: Tue, 23 Dec 2003 11:23:23 -0500 From: Barney Wolff To: Peter Serwe Message-ID: <20031223162323.GA44463@pit.databus.com> References: <3FE841B4.8E6D47E9@easytree.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3FE841B4.8E6D47E9@easytree.net> User-Agent: Mutt/1.5.5.1i X-Scanned-By: MIMEDefang 2.37 cc: freebsd-net@freebsd.org Subject: Re: ipfw/natd/3 nic X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2003 16:23:28 -0000 On Tue, Dec 23, 2003 at 08:23:00AM -0500, Peter Serwe wrote: > > I have 2 internal networks that I'll term > private_private (192.168.1.0/24) > and public_private (192.168.2.0/24). > > I have one public ip address. > > I need both networks to be able to surf, > but I _never_ want ANY traffic to be able > to go in between except from someone having > direct access to the router. The router shouldn't > be passing any traffic in between private networks. I don't think you need(ed) two public addresses to accomplish what you want. The ipfw divert rule can have "via " to apply only to packets to/from the Internet, and you can have deny rules for packets flowing between your two internal nets. I don't see a need to run two natd's here. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.