From owner-freebsd-questions Wed Feb 11 13:42:04 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA27222 for questions-outgoing; Wed, 11 Feb 1998 13:42:04 -0800 (PST) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from panda.hilink.com.au (panda.hilink.com.au [203.8.15.25]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA27159; Wed, 11 Feb 1998 13:41:38 -0800 (PST) (envelope-from danny@panda.hilink.com.au) Received: (from danny@localhost) by panda.hilink.com.au (8.8.5/8.8.5) id IAA06255; Thu, 12 Feb 1998 08:41:01 +1100 (EST) Date: Thu, 12 Feb 1998 08:41:01 +1100 (EST) From: "Daniel O'Callaghan" To: Cliff Addy cc: questions@FreeBSD.ORG, isp@FreeBSD.ORG Subject: Re: FreeBSD firewall questions In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 11 Feb 1998, Cliff Addy wrote: > - I think we have to change the default gateway of all our systems to the > firewall box, is that correct? Currently, they use the router. Correct. > - We have 4 class C networks in our internal systems. Let's assume we > assign 100.100.100.100 to the "inside" nic on the firewall box and > 100.100.100.101 to the "outside" nic, while the router's ip is > 100.100.100.1. Does this routing on the firewall box look right? > > - set static network routes to the internal class C networks > route add -net 100.100.100.0 -interface 100.100.100.100 > route add -net 100.100.101.0 -interface 100.100.100.100 > route add -net 100.100.102.0 -interface 100.100.100.100 > route add -net 100.100.103.0 -interface 100.100.100.100 If they are all contiguous, starting on a multiple of 4, why not just use a netmask of 255.255.252.0? > - set a static route to the router's ip address > route add 100.100.100.1 100.100.100.101 > > or does this need to be > route add 100.100.100.1 -interface 100.100.100.101 Don't know what this is for. How many nics are you putting in the FreeBSD box. It is starting to sound like 1. I have had conversations with two others about this so of layout, and you are really better off getting it right to start with. For starters, I bet you don't have 1000 machines on your local ethernet cable. 3 of those class Cs are for virtual webservers? Then you should put the addresses as aliases on lo0 of the web machine, and add a route to the network via that machine as a gateway. > - set the default gateway to the router's ip in rc.conf > defaultrouter="100.100.100.1" > > - In order to connect the outside nic of the firewall directly to the > router, don't we need a "special" cable, the cat-5 equivalent of a > null-modem cable? So you do have 2 nics. Are you intending on using an entire class C for the link between the FreeBSD box and the router? Please draw an ascii diagram of your intended network layout, with machines and services. List the current IP addresses on the network, and use the real numbers, not 100.100.100.x, please. Then I'll be able to give you a more comprehensive answer. Danny To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe questions" in the body of the message