From owner-freebsd-questions  Fri Oct  2 09:51:32 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA28217
          for freebsd-questions-outgoing; Fri, 2 Oct 1998 09:51:32 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from tinker.com (troll.tinker.com [204.214.7.146])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA28212
          for <questions@freebsd.org>; Fri, 2 Oct 1998 09:51:25 -0700 (PDT)
          (envelope-from kim@tinker.com)
Received: by localhost (8.8.5/8.8.5)
Received: by mail.tinker.com via smap (V2.0)
	id xma009865; Fri Oct  2 11:44:59 1998
Received: by localhost (8.8.5/8.8.5) id LAA21922; Fri, 2 Oct 1998 11:52:59 -0500 (CDT)
Message-ID: <361504CC.A2CBB257@tinker.com>
Date: Fri, 02 Oct 1998 11:52:28 -0500
From: Kim Shrier <kim@tinker.com>
Organization: Shrier and Deihl
X-Mailer: Mozilla 4.05 [en] (X11; U; FreeBSD 2.2.7-RELEASE i386)
MIME-Version: 1.0
To: ark@eltex.ru
CC: agalindo@servidor.exsocom.com.mx, questions@FreeBSD.ORG
Subject: Re: Firewall with 2 NIC and a NET class C
References: <199810020908.NAA21458@paranoid.eltex.spb.ru>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

ark@eltex.ru wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> nuqneH,
> 
> Alejandro Galindo Chairez AGALINDO  <agalindo@servidor.exsocom.com.mx> said :
> 
> > > You have a couple of ways to approach this.  You could use network address
> > > translation and have private addresses for all your machines.  The "public"
> > > machines would have static mappings to real IP addresses that are aliased
> > > on the outside interface of the firewall.  You would also use ipfw rules to
> > > control the traffic.
> >
> > ok i like the idea to have static mappings to real IP addrs. that are
> > aliased on the out interface, how can i do that?
> 
> It is definitely BAD idea. It breaks any reasonable security policy.
> 

No, it doesn't.  The point of a publicly accessible server is that it
can be accessed from the internet.  Static mapping allows you to make
a machine on the private network visible to the internet.  If you
then add appropriate filter rules, then you restrict access to only
those ports that you want people to get at (25, 80, 110, etc.).
The non-public machines (i.e. peoples personal machines) are not
statically mapped and therefore not visible to the internet.  However,
these machines can initiate connections out to the internet.  Also,
you would set up filter rules to restrict traffic to and from these
machines.

Kim Shrier
kim@tinker.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message