From owner-freebsd-questions  Fri Oct  2 05:31:48 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id FAA16615
          for freebsd-questions-outgoing; Fri, 2 Oct 1998 05:31:48 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from ns1.seidata.com (ns1.seidata.com [208.10.211.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA16591;
          Fri, 2 Oct 1998 05:31:42 -0700 (PDT)
          (envelope-from mike@seidata.com)
Received: from localhost (mike@localhost)
	by ns1.seidata.com (8.8.8/8.8.5) with SMTP id IAA13297;
	Fri, 2 Oct 1998 08:34:59 -0400 (EDT)
Date: Fri, 2 Oct 1998 08:34:59 -0400 (EDT)
From: Mike <mike@seidata.com>
To: ark@eltex.ru
cc: agalindo@servidor.exsocom.com.mx, kim@tinker.com, questions@FreeBSD.ORG,
        freebsd-security@FreeBSD.ORG
Subject: Re: Firewall with 2 NIC and a NET class C
In-Reply-To: <199810020908.NAA21458@paranoid.eltex.spb.ru>
Message-ID: <Pine.BSF.4.01.9810020831130.9982-100000@ns1.seidata.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, 2 Oct 1998 ark@eltex.ru wrote:

> > ok i like the idea to have static mappings to real IP addrs. that are
> > aliased on the out interface, how can i do that?
> 
> It is definitely BAD idea. It breaks any reasonable security policy.

"Our recommendation is to obtain and use registered IP addresses if at
all possible.  If you must use private IP addresses, then use the ones
specified by RFC1597, but beware that you're setting youself up for
later problem[s]."

_Building Internet Firewalls_, Ch. 4, p. 90
D. Brent Chapman & Elizabeth D. Zwicky

	-mike


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message