From owner-freebsd-net Mon Apr 30 10:53:33 2001 Delivered-To: freebsd-net@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 818AB37B422 for ; Mon, 30 Apr 2001 10:53:27 -0700 (PDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f3UJ35j78834; Mon, 30 Apr 2001 14:03:05 -0500 (CDT) (envelope-from nick@rogness.net) Date: Mon, 30 Apr 2001 14:03:04 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: John Wilson Cc: freebsd-net@FreeBSD.ORG Subject: Re: ipfw routing/netmask problem In-Reply-To: <17607983.988650352302.JavaMail.imail@almond.excite.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 30 Apr 2001, John Wilson wrote: > > > > fxp1 is bound to several IPs, 192.168.1.254 and 192.168.2.254 for > two > > different types of NAT clients, and 90.91.92.4 for the DMZ. > > > > Define "2 different types of NAT clients". Your DMZ is not on a > > seperate network of your private network? By doing that you are > > getting rid of the whole concept of having a DMZ. > > Two different companies sharing the line. It's easier to use two > different unregistered subnets for NAT clients (bandwidth accounting, > etc.), although both are aliased to appear from the exposed interface > (90.91.92.2) > > I don't see a problem with DMZ being on the same network with everyone > else, other than that people can steal routable IPs, but then the > firewall is configured to block all incoming traffic to 62.90.91.2 > (except for established connections), and has specific rules for each > allowed DMZ server (allow incoming 25 for mail, 80 for http, etc.), so > even if someone steals an extra IP, the firewall will reject them. If someone compromises a machine on the DMZ, they have access to your private network...sniffing..etc. > > > > > > You have 2 options here. > > > > 1) Setup proxy arp on your outside interface. Binding the whole > > /27 address range (with exception of the router's IP) to your BSD > > machine. Make natd translations accordingly. > > > 2) Setup your DMZ using 90.91.92.16/28 IP range which gives you > > enough IP's to play with, and leaves the 90.91.92.4/30 and > > 90.91.92.8/29 subnet's to play with. Add the routes in the router > to > route the subnets to your BSD machine's IP. Make natd > translations > accordingly if you decide to run private address > space for your DMZ, > if not no additional work needs to be done. > > Which option is better? How do I set up proxy arp? I would probably run with Option 2 first. But keep in mind that there are other options. > > This seems like a good solution. Please help me figure out the > subnets/routes I need to use. So far, I have this: > > /---------------------\ > | router 90.91.92.1 | > \---------------------/ > | > | > /---------------------\ /---------------------\ > | fxp0 90.91.92.2/30 |---| fxp1 90.91.92.?/? | > \---------------------/ \---------------------/ > -| | |----------- > | | | > /-------\ /-------\ /-------\ > | NAT 1 | | NAT 2 | | DMZ | > \-------/ \-------/ \-------/ > > All I gotta do is fill in the missing blanks :) fxp1= 90.91.92.17 netmask 255.255.255.240 All DMZ machines (90.91.92.18 -> 90.91.92.30) are setup with the same netmask (255.255.255.240) and point to .17 as there gateway. I would, however, change your physcial setup by splitting off your DMZ onto it's own ethernet card and switch like so: Public (Router) | fxp0 | BSD --fxp2---DMZ | fxp1 | Private Net / \ nat1 nat2 It just makes more sense security wise and makes administration a little less difficult. It also gives you more options with firewalling and such. Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message