Date: Mon, 05 Feb 2001 09:39:12 -0800 From: Julian Elischer <julian@elischer.org> To: Rich Wales <richw@webcom.com> Cc: freebsd-net@freebsd.org, freebsd-stable@freebsd.org Subject: Re: netgraph router? (was Re: BRIDGE breaks ARP?) Message-ID: <3A7EE540.AA3A1AF0@elischer.org> References: <20010205172708.36311.richw@wyattearp.stanford.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Rich Wales wrote:
>
> Julian Elischer wrote:
>
> > > > try using netgraph bridging instead.
>
> and I replied:
>
> > > Can't do this until the netgraph code supports ipfirewall
> > > or ipfilter.
>
> to which Julian replied:
>
> > why can't you use routing? (ipfw only REALLY works with IP
> > packets anyhow..) OR you can do what some people do which
> > is make a netgraph 'router' where appletalk and other NON-IP
> > packets are bridged and IP packets are routed.
>
> Could you explain this in more detail -- possibly directing me to
> an example?
some people run a bridge between two ethernet segments,
but give them different IP netranges, thas IP goes via the
IP code and routes while other protocols 'see' each other directly
and go through the bridge. THe clients are told to go vi the router
(bsd machine) so they do..
I don't see how this would help in your situation though.
>
> My requirements are:
>
> ==> I need to protect my main desktop machine behind a firewall
> (which is why I'm running IPFIREWALL on my bridge).
>
> ==> My main desktop machine needs to have its own, "public" IP
> address (my work requires me to use some Kerberized security
> services that won't survive NAT-munging through a router).
>
> ==> I have DSL with multiple static IP addresses at home (work
> perk), but my static block of addresses isn't big enough
> for me to be able to split it further into mini-subnets for
> routing purposes, which is why I want to run a bridge rather
> than a conventional router.
>
> ==> I don't need my firewall to pass any kind of non-IP packets,
> other than ARP.
so how does bridging help?
this is what I'd do..
real | nat
addresses | addresses
|
--internet--[firewall]------------[workstation+NAT]---------[othermachines]
|
|
In fact it is possible you could run both the 10.x.x.x. net and the 'real'
net on the same interface/cable and use the firewall to NAT them as well
(just assign two addresses to the interface). (I'd have to look
at the rules that are installed for NATD but I'm sure you could
work something out.
> Rich Wales richw@webcom.com http://www.webcom.com/richw/
--
__--_|\ Julian Elischer
/ \ julian@elischer.org
( OZ ) World tour 2000-2001
---> X_.---._/
v
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A7EE540.AA3A1AF0>