Date: 28 Sep 2001 14:20:08 -0700 From: swear@blarg.net (Gary W. Swearingen) To: Mike Porter <mupi@mknet.org> Cc: freebsd-stable@freebsd.org Subject: Re: 127/8 continued Message-ID: <izlmizj9mf.miz@localhost.localdomain> In-Reply-To: <200109272225.f8RMPLH02946@c1828785-a.saltlk1.ut.home.com> References: <20010924094048.X5906-100000@coredump.scriptkiddie.org> <200109271411.f8REBNH02164@c1828785-a.saltlk1.ut.home.com> <4cd74ctsac.74c@localhost.localdomain> <200109272225.f8RMPLH02946@c1828785-a.saltlk1.ut.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm really feeling guilty for using so much of people's time (including
my own), so I want you to please feel free to ignore this.
You write:
> While this is possible using NAT at the DSL router (most of them support it
> there), as a general rule, any machine that accepts packets from the
> internet, and injects packets to the internet, including a firewall, needs a
> public ("routeable") IP.
As long as I can set my DSL's router to make my firewall the DSL
router's gateway (and I can), I don't see why the firewall needs a
public IP. What or who needs to have "DST" addressed to my firewall?
It or they should be satisfied talking to my other hosts, no?
> ( I guess FBSD supports transparent bridgeing with ipfw, but I
> haven't investigated it much)
http://www.FreeBSD.org/doc/en_US.ISO8859-1/articles/filtering-bridges/index.html
shows how to set it up two-legged (but barely introduces the concepts).
Someone warned of possible problems, esp. three-legged, I suppose from
lack of use & bug-reporting.
> There would be no
> way, to use your example, for somone tracerouting your /29, to know that
> a.b.c.2 and a.b.c.4 are on separate subnets.
I'll have to trust you that they can determine that and that I should care.
Actually that should be "I WILL trust you..." and take the advice of
experts even if I don't understand the reasons. I'm sure I can live
with the various problems of NAT in configuration and behavior.
> ummm....yeah, I must have menat that <(}; Actually I think I was thinking
> of /30 rather than /31.
Which would give a similar problem as /29. But don't worry about it.
> The only thing you lose is the DMZ.
Having a DMZ was the only reason I'm messing with any of this.
> > I think you're confusing gatewaying with bridging.
> >
> Yeah, although the terminology is frequently used interchangeably. That
> doesn't make it right. The distinction I would draw is between transparent
> bridging (which is what you describe) and "normal" bridging, which is
> probably better referred to as "gateway" or "relay" behaviour. I think
> gateway or relay behaviour is more what you are after. Or "switching"
> behavior might be the term.
In my little description of bridging I erred in considering it a cable
insert. I think the principle purpose of bridges is to limit the
propagation of broadcasts to parts of a many-host network.
I agree with your last comment; I want a filtering switch more than a
filtering bridge (though I'm not sure there's a difference with just two
other hosts). I wonder if that "filtering bridge" article should
comment on this topic.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?izlmizj9mf.miz>