From owner-freebsd-questions Thu Aug 19 7:15:39 1999 Delivered-To: freebsd-questions@freebsd.org Received: from dns.ie-online.it (dns.ie-online.it [194.133.148.8]) by hub.freebsd.org (Postfix) with ESMTP id 483C2150F5 for ; Thu, 19 Aug 1999 07:15:34 -0700 (PDT) (envelope-from sriva@alice.it) Received: from dns.ie-interna.it (host-ie-trezzano.ie-online.it [194.133.148.44]) by dns.ie-online.it (8.8.8/8.8.8) with ESMTP id QAA18726; Thu, 19 Aug 1999 16:12:20 +0200 (CEST) (envelope-from sriva@alice.it) Received: from stefano (stefano.ie-interna.it [192.168.0.33]) by dns.ie-interna.it (8.8.8/8.8.8) with SMTP id QAA09884; Thu, 19 Aug 1999 16:12:19 +0200 (CEST) (envelope-from sriva@alice.it) Message-Id: <3.0.5.32.19990819161320.009d73c0@relay.alice.it> X-Sender: riva@relay.alice.it X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 19 Aug 1999 16:13:20 +0200 To: "Langa Kentane" From: Stefano Riva Subject: Re: router and firewall question Cc: freebsd-questions@FreeBSD.ORG In-Reply-To: <001401beea38$41c28d90$0a01a8c0@sunshine.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG At 13.34 19/08/99 +0200, you wrote: >I have a cisco 2511 connected to the internet thru s0. The ip adress of s0 >is set to unnumbered (eth0). Eth0's ip address is x.y.25.1 255.255.255.192. >My isp has assigned me 64 ip addresses. >I want to put up a freebsd firewall between the router and the rest of the >network. All hosts will be behind the firewall. >What should the ip address of the interfaces on the firewall machine be? And >how will this affect the rest of my network's ip addresses? As for software, there are mainly two choices: you may use the "original" ipfw + natd mechanism bundled with FreeBSD (take a look at /etc/rc.firewall) or Darren Reed's IP-Filter package, also bundled with FreeBSD 3.x. Start enabling gateway in your /etc/rc.conf: gateway_enable = "YES". I'd suggest IP-Filter, because IMO it's more powerful; take a look at http://cheops.anu.edu.au/~avalon/ip-filter.html. You would have to enable it in your kernel configuration file and recompile the kernel (look at /sys/i386/conf/LINT about enabling it and at www.freebsd.org about recompiling the kernel). Anyway, maybe ipfw + natd are more documented and you would easily find more people able to help you on this list (I tried both ipfw + natd and IP-Filter in the past, but currently I don't manage a firewall with FreeBSD, so I can't help you about details). It's up to you. First of all read the Handbook's intro to firewalls at http://www.freebsd.org/handbook/firewalls.html. You'll have to set up the "public" interface on your machine with a public IP, i.e. one assigned to you by your ISP. Then you have to choose if you want to use NAT (Network Address Translation) or not: with NAT you would use a private class of IP addresses for your private network (192.168.0.0/24 for example, if a C class is enough for you) and they would be translated into a pool of public addresses or into a single public address by your BSD box. I'd suggest using NAT for flexibility; for example changing ISP would be almost painless... You could also have much more than 64 private IPs with your 64 public addresses only. Example for your case: Cisco's eth0 x.y.25.1/26, BSD public interface x.y.25.2/26, BSD private interface 192.168.0.1/24, your machines from 192.168.0.2/24 to 192.168.0.254/24. If you're using UTP on your LAN, you may connect the Cisco router and the BSD box directly with a cross-over cable. Probably it sounds complicated... Well, it is, at least a little bit. ;-) --- Stefano Riva Software Engineer - Systems Administrator Informazioni Editoriali I.E. Srl Voice +39-02283151, Fax +39-0228315900 Email sriva@alice.it To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message