Date: Fri, 02 Oct 1998 11:52:28 -0500 From: Kim Shrier <kim@tinker.com> To: ark@eltex.ru Cc: agalindo@servidor.exsocom.com.mx, questions@FreeBSD.ORG Subject: Re: Firewall with 2 NIC and a NET class C Message-ID: <361504CC.A2CBB257@tinker.com> References: <199810020908.NAA21458@paranoid.eltex.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
ark@eltex.ru wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > nuqneH, > > Alejandro Galindo Chairez AGALINDO <agalindo@servidor.exsocom.com.mx> said : > > > > You have a couple of ways to approach this. You could use network address > > > translation and have private addresses for all your machines. The "public" > > > machines would have static mappings to real IP addresses that are aliased > > > on the outside interface of the firewall. You would also use ipfw rules to > > > control the traffic. > > > > ok i like the idea to have static mappings to real IP addrs. that are > > aliased on the out interface, how can i do that? > > It is definitely BAD idea. It breaks any reasonable security policy. > No, it doesn't. The point of a publicly accessible server is that it can be accessed from the internet. Static mapping allows you to make a machine on the private network visible to the internet. If you then add appropriate filter rules, then you restrict access to only those ports that you want people to get at (25, 80, 110, etc.). The non-public machines (i.e. peoples personal machines) are not statically mapped and therefore not visible to the internet. However, these machines can initiate connections out to the internet. Also, you would set up filter rules to restrict traffic to and from these machines. Kim Shrier kim@tinker.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?361504CC.A2CBB257>