From owner-freebsd-questions Wed Sep 30 01:19:21 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA21705 for freebsd-questions-outgoing; Wed, 30 Sep 1998 01:19:21 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from alcatel.fr (ns.celwave.tm.fr [194.133.58.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA21700 for ; Wed, 30 Sep 1998 01:19:19 -0700 (PDT) (envelope-from Thierry.Herbelot@alcatel.fr) From: Thierry.Herbelot@alcatel.fr Received: from alcatel.fr (gatekeeper-ssn.alcatel.fr [155.132.180.244]) by mailgate.alcatel.fr (ALCANET/SMTP) with ESMTP id KAA23437 for ; Wed, 30 Sep 1998 10:24:58 +0200 Received: from lune.telspace.alcatel.fr (lune.telspace.alcatel.fr [155.132.144.65]) by aifhs2.alcatel.fr (ALCANET/SMTP2) with ESMTP id KAA27272 for ; Wed, 30 Sep 1998 10:17:46 +0200 (MET DST) Received: from telss1 (telss1.telspace.alcatel.fr [155.132.51.4]) by lune.telspace.alcatel.fr (8.9.1a/8.9.1) with SMTP id JAA14024; Wed, 30 Sep 1998 09:54:46 +0200 (MEST) Received: from telspace.alcatel.fr by telss1 (4.1/SMI-4.1) id AA11349; Wed, 30 Sep 98 09:55:12 +0200 Received: from localhost by telspace.alcatel.fr with SMTP (1.40.112.12/16.2) id AA029810340; Wed, 30 Sep 1998 09:25:40 +0200 X-Openmail-Hops: 1 Date: Wed, 30 Sep 98 09:25:00 +0200 Message-Id: In-Reply-To: <3.0.32.19980930044505.00ad84ec@mail.peace.com.my> Subject: Not a cure for firewall licences. Re: Can DHCP really be this simple ? Mime-Version: 1.0 To: panda@peace.com.my Cc: freebsd-questions@FreeBSD.ORG Content-Type: text/plain; charset=US-ASCII; name="Not" Content-Disposition: inline; filename="Not" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello, Just one question : how can the firewall see the Ethernet MAC addresses of the PCs which are behind the FreeBSD machine ? I would expect all Ethernet frames transmitted from the FreeBSD machine use the MAC address of fxp0 (just the IP address in the header could be the address of one of your PCs - except with NAT : the IP address in each Ethernet frame is also the address of the FreeBSD box). TfH PS :It's really sad that your setup does not work : it would be a very elegant way to circumvent the licencing policy of your Firewal vendor. PPS : do you have a tcpdump trace of the traffic beetween the FreeBSD box and the firewall ? This trace could be used to explain why the firewall sees 50 machines when it should see only one .... > Just thought I'd mention that the set-up I described previously > for a FreeBSD proxy/router does not circumvent firewall licences. > Posting this to the list so that someone else doesn't make the > same mistake : > > ie. we have - > > LAN (50 PCs) <----> fxp1 > fxp0 <----> Firewall <----> Internet > > The idea being that the one FreeBSD box could route traffic > for the 50 PCs on the LAN. Having set this up (config below), > we've now been told that our firewall (Checkpoint Firewall-1) > still sees the 50 PCs as 50 machines, each requiring a licence... > since it sees the different MAC addresses. ^^^ how can this be ??? > > So, looks like this was a waste of time - might as well turn > the FreeBSD proxy/router into a webserver or something - and > connect the LAN directly to the firewall. > > chas > > > >I've got DHCP running but would appreciate it if someone could > >pass an experienced eye over this configuration before I unleash > >my Freebie box on 50 unsuspecting users tomorrow ! > > > >The FreeBSD box sits between the LAN and firewall as follows : > > > >LAN (50 PCs) <----> fxp1 > > fxp0 <----> Firewall <----> Internet > > > > > >The following startup scripts are appended to the end of /etc/rc.local : > ># Start NATd on the external interface : > >/usr/local/sbin/natd -interface fxp0 > ># Allow all packets through : > >/sbin/ipfw -f flush > >/sbin/ipfw add divert natd all from any to any via fxp0 > >/sbin/ipfw add pass all from any to any > ># Start the DHCP server on the internal interface : > >/usr/local/sbin/dhcpd fxp1 > > > > > >My /etc/dhcpd.conf file is based on the sample provided : > ># dhcpd.conf > >server-identifier proxy.ourdomain.com; # the name of the proxy > >option domain-name "ourdomain.com"; # our company's domain > >option domain-name-servers ns.ourdomain.com; # our dns server > > > >shared-network NEURONET { > > option subnet-mask 255.0.0.0; > > default-lease-time 600; > > max-lease-time 7200; > > subnet 10.0.0.0 netmask 255.0.0.0 { > > range 10.0.0.50 10.0.0.254; > > option broadcast-address 10.0.0.255; > > option routers 10.0.0.1; > > } > >} > > > >Basically, I just want IPs between 10.0.0.50 and 10.0.0.254 to be > >allocated dynamically to PCs connecting on the LAN. The above seems > >to work but it was trial and error so I'm not that confident about > >what I've done. > > > >Also, if I then want to run a server with fixed IP (eg. 202.184.153.17) > >on one of the IPs on the LAN not assigned dynamically (eg. 10.0.0.17), > >where is this translation entered ? > > > >chas > > > >ps. Since DHCP requires the bpfilter option in the kernel, should > >anything else be done to beef up security on this machine ? > >(I'm disabling telnet, ftp, sendmail etc. Plus it sits behind a firewall) > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message