Date: Thu, 12 Feb 1998 08:41:01 +1100 (EST) From: "Daniel O'Callaghan" <danny@panda.hilink.com.au> To: Cliff Addy <fbsdlist@federation.addy.com> Cc: questions@FreeBSD.ORG, isp@FreeBSD.ORG Subject: Re: FreeBSD firewall questions Message-ID: <Pine.BSF.3.91.980212083436.294M@panda.hilink.com.au> In-Reply-To: <Pine.BSF.3.95q.980211082836.5078A-100000@federation.addy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 11 Feb 1998, Cliff Addy wrote:
> - I think we have to change the default gateway of all our systems to the
> firewall box, is that correct? Currently, they use the router.
Correct.
> - We have 4 class C networks in our internal systems. Let's assume we
> assign 100.100.100.100 to the "inside" nic on the firewall box and
> 100.100.100.101 to the "outside" nic, while the router's ip is
> 100.100.100.1. Does this routing on the firewall box look right?
>
> - set static network routes to the internal class C networks
> route add -net 100.100.100.0 -interface 100.100.100.100
> route add -net 100.100.101.0 -interface 100.100.100.100
> route add -net 100.100.102.0 -interface 100.100.100.100
> route add -net 100.100.103.0 -interface 100.100.100.100
If they are all contiguous, starting on a multiple of 4, why not just use a
netmask of 255.255.252.0?
> - set a static route to the router's ip address
> route add 100.100.100.1 100.100.100.101
>
> or does this need to be
> route add 100.100.100.1 -interface 100.100.100.101
Don't know what this is for. How many nics are you putting in the
FreeBSD box. It is starting to sound like 1. I have had conversations
with two others about this so of layout, and you are really better off
getting it right to start with. For starters, I bet you don't have 1000
machines on your local ethernet cable. 3 of those class Cs are for
virtual webservers? Then you should put the addresses as aliases on lo0
of the web machine, and add a route to the network via that machine as a
gateway.
> - set the default gateway to the router's ip in rc.conf
> defaultrouter="100.100.100.1"
>
> - In order to connect the outside nic of the firewall directly to the
> router, don't we need a "special" cable, the cat-5 equivalent of a
> null-modem cable?
So you do have 2 nics. Are you intending on using an entire class C for
the link between the FreeBSD box and the router?
Please draw an ascii diagram of your intended network layout, with
machines and services. List the current IP addresses on the network, and
use the real numbers, not 100.100.100.x, please. Then I'll be able to
give you a more comprehensive answer.
Danny
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.980212083436.294M>