From owner-freebsd-questions Wed May 15 18:57:33 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id SAA11774 for questions-outgoing; Wed, 15 May 1996 18:57:33 -0700 (PDT) Received: (from jmb@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id SAA11768; Wed, 15 May 1996 18:57:31 -0700 (PDT) From: "Jonathan M. Bresler" Message-Id: <199605160157.SAA11768@freefall.freebsd.org> Subject: Re: Networking / Routing question To: nate@sri.MT.net (Nate Williams) Date: Wed, 15 May 1996 18:57:31 -0700 (PDT) Cc: msmith@atrad.adelaide.edu.au, nate@sri.MT.net, questions@freebsd.org In-Reply-To: <199605160055.SAA21095@rocky.sri.MT.net> from "Nate Williams" at May 15, 96 06:55:51 pm X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Nate Williams wrote: > > Michael Smith writes: > > Nate Williams stands accused of saying: > > > > > > > > Since I have two ethernet segments, I must have two different subnets, > > > > > but I don't see any easy solution to the problem. It would be nice if I > > > > > could use the ethernet segment as a point-point connection in this case > > > > > (for latency & BW ethernet is the cheapest way to go). > > > > > > > > > > What would you suggest? > > > > > > > > use rfc-1918 addresses on the segment between the router and the > > > > firewall. keep all your 32 ip addresses for your hosts. > > > > I was going to suggest this, until it occurred to me that it would be > > impossible for the firewall to connect out through the router. (With a > > default route set to the router, packets originating on the firewall > > will have an unroutable source address, and responses will never come > > back.) > > The 'firewall' is our main email gateway box, and will end up doing all > of the 'ftp/www/dns/etc' service to the world. do you really want to run those services on a firewall? perhaps on a host protected by the firewall or on a sacrifical host outside the firewall (hardware jumpered read-only scsi disks are *wonderful* ;) how about replacing the router with a FreeBSD box that supports those services. an make the firewall a real firewall rather than a services box? use two harddisks (minimum) in the services/router box. install the operating sytem and your binaries on one, hardware jumpered read-only. on the seconds place /tmp, /incoming and what have you. then you can run a mail replacement program like smapd from the fwtk on the services/router box adn send all mail to a mail hub located insdie the real firewall. making changes will mean downing the box, but that's okay. you want ot reach a stable set of binaries anyway and then leave the configuration alone, unless a vunerablility is discovered. another possilibilty is using a NAT capability, and allocating yourself an A class internal address ;) http://cheops.anu.edu.au/~avalon/ it is IP Filter by Darren Reed. though i have not used it myself, darren's mail to firewalls and other lists has always been useful. that way you can place one or more servers outside using your allocated adresses and leave the rest of the hosts behind the firewall allowing them to access the net via NAT. NAT is dicsussed in rfc1631. i aint saying that NAT is elegant, just saying that i may well be a solution to your particular situation. ip-filt-3.0.4 does a fairly nice job of ip filtering. it can run as an lkm. however you run it, you must patch the kernel sources in order to use it, espcescilly if you want NAT. darren reed calims it will work with FreeBSD 2.0 and 2.1.0 (sic). i image that you have to forget about current. but you wouldnt be running current on that kind of box anyway right? right!. jmb -- Jonathan M. Bresler FreeBSD Postmaster jmb@FreeBSD.ORG FreeBSD--4.4BSD Unix for PC clones, source included. http://www.freebsd.org/