Date: Wed, 9 Jul 1997 14:36:36 -0500 (EST) From: Kenneth Chiu <chiuk@cs.indiana.edu> To: freebsd-isp@freebsd.org Subject: FreeBSD as a router/firewall in this poorly-configured network Message-ID: <Pine.BSF.3.95q.970709143441.4935C-100000@ganymede.bloomington.nsisw.com>
index | next in thread | raw e-mail
I would like to use FreeBSD as a firewall between an "unsecure" physical
network and a "secure" physical network. Unfortunately, there is no
subnetting, and I can't change IP numbers for political reasons.
Here is the configuration:
|
|
T1 |
|
|
----------
| Cisco |
| router |
----------
| 206.97.64.1
|
| Hub
=======================================
| 206.97.64.129 | 206.97.64.63 | 206.97.64.66
| | |
| fxp0 | |
------------ web server mail server
| FreeBSD |
| firewall |
------------
| fxp1
|
| 206.97.64.200
===================== Internal network, all one physical net
As I understand how routing works in FreeBSD, this configuration
can work, because more specific routes are preferred. Will these
commands create the correct routing table?
route add default 206.97.64.1 -ifp fxp0
route add -interface 206.97.64.1 206.97.64.129 # route to router
route add -interface 206.97.64.63 206.97.64.129 # route to web server
route add -interface 206.97.64.66 206.97.64.129 # route to mail server
route add -interface 206.97.64.0 206.97.64.200 # route to internal net
Because both interfaces are on the same network, I assume I need to
use -ifp or -interface, but I'm not sure I understand the distinction
between the two.
Hopefully, I will be able to configure the Cisco router to forward
206.97.64.0 packets to the firewall only if they are not to the
web server or the mail server. If not, I was thinking that maybe
having the firewall use Proxy ARP to fool the router into sending
packets bound for the internal net to the firewall might work.
home |
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.970709143441.4935C-100000>