From owner-freebsd-net@FreeBSD.ORG Tue Dec 23 08:54:14 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3742316A4CE for ; Tue, 23 Dec 2003 08:54:14 -0800 (PST) Received: from mail2.dbitech.ca (radius.wavefire.com [64.141.13.252]) by mx1.FreeBSD.org (Postfix) with SMTP id D99BE43D3F for ; Tue, 23 Dec 2003 08:54:12 -0800 (PST) (envelope-from darcy@wavefire.com) Received: (qmail 18085 invoked from network); 23 Dec 2003 17:29:44 -0000 Received: from dbitech.wavefire.com (HELO 64.141.15.253) (darcy@64.141.15.253) by radius.wavefire.com with SMTP; 23 Dec 2003 17:29:44 -0000 From: Darcy Buskermolen Organization: Wavefire Technologies Corp. To: Peter Serwe , freebsd-net@freebsd.org Date: Tue, 23 Dec 2003 08:54:14 -0800 User-Agent: KMail/1.5.4 References: <3FE841B4.8E6D47E9@easytree.net> In-Reply-To: <3FE841B4.8E6D47E9@easytree.net> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200312230854.14948.darcy@wavefire.com> Subject: Re: ipfw/natd/3 nic X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2003 16:54:14 -0000 On December 23, 2003 05:23 am, Peter Serwe wrote: > Okay, > > Basically, since FreeBSD is (in my mind anyway) > the ultimate leatherman of the OS world, and God's > own gift to networking and network services in general > I decided to try to do a 3 nic ipfw/natd setup. > > I've done 2 nic ipfw/natd a couple of times, straight > ipfw public-->public ipfw a couple of times, I'm fairly > comfortable with it.. > > After searching around, I found a message from > Gilson (de?)Paiva referencing some stuff Barney Wolff > told him that basically straightened it out. > > Here's what I'm trying to accomplish: > > I have 2 internal networks that I'll term > private_private (192.168.1.0/24) > and public_private (192.168.2.0/24). > > The total number of clients between both > networks probably could never exceed 100, > and probably won't ever exceed 50. > > I have one public ip address. > > I need both networks to be able to surf, > but I _never_ want ANY traffic to be able > to go in between except from someone having > direct access to the router. Why not just add soem simple firewall rules such as: ipfw add deny ip from private_private to public_private ipfw add deny ip from public_private to private_private before you do your divert rule ? -- Darcy Buskermolen Wavefire Technologies Corp. ph: 250.717.0200 fx: 250.763.1759 http://www.wavefire.com