From owner-freebsd-questions  Mon Jun  4 19: 4:54 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from cody.jharris.com (cody.jharris.com [205.238.128.83])
	by hub.freebsd.org (Postfix) with ESMTP id CBAD437B401
	for <freebsd-questions@FreeBSD.ORG>; Mon,  4 Jun 2001 19:04:49 -0700 (PDT)
	(envelope-from nick@rogness.net)
Received: from localhost (nick@localhost)
	by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f553NDK90957;
	Mon, 4 Jun 2001 22:23:13 -0500 (CDT)
	(envelope-from nick@rogness.net)
Date: Mon, 4 Jun 2001 22:23:13 -0500 (CDT)
From: Nick Rogness <nick@rogness.net>
X-Sender: nick@cody.jharris.com
To: Thierry Black <thierryblack@hotmail.com>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: how to hook up a firewall?
In-Reply-To: <F8bLAX3cf3ednHM3SOl000156f0@hotmail.com>
Message-ID: <Pine.BSF.4.21.0106042215420.90874-100000@cody.jharris.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Mon, 4 Jun 2001, Thierry Black wrote:

> Thanks to you for answering my other questions before! this group is a
> great help.

> 
> I have a small subnet of public addresses,
> like 172.168.0.128/28  So, 128 is network,
> 129-142 are usable, and 143 is broadcast.
> 

> I want to put up firewall in between and have it route all traffic to
> and from this network but I want an other machine (web server) on the
> same segment as the firewall, but not behind the firewall. all other
> machines should be behind firewall.

> 
> so something like this:
> 
> gateway 1 (isp manage)
>           |
>   +-------+----------+
>   |                  |
> firewall         web server
>   |
>   +-----+-----+-- - - -
>   |     |     |
> other machines behind firewall
> 

> 
> all machines in diagram must use ip address from our subnet, but I can
> change all addresses (including isp manage gateway) if subnet works
> better.  there are a few free ip addresses.
> 
> how would you guys set this up?

	Well, you have some options:

	1) Segment your /28 subnet into 2 /29's, or 1 /29 and 2 /30's, or
	4 /30's or whatever.

	2) Assign your whole /28 to your outside firewall interface (the
	net that your web server sits on).  Then run nat on the firewall
	for all "other machines behind the firewall".

	3) Run the firewall in bridging mode.

	I would personally run with option 1 or 2...probably option 2.  I
	guess it all depends on what "the other machines behind the firewall"
	are doing and if they need to be accessible from the outside
	world (aka The internet)..

Nick Rogness <nick@rogness.net>
 - Keep on Routing in a Free World...
  "FreeBSD: The Power to Serve!"


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message