From owner-freebsd-security Thu Nov 4 10:19:57 1999 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id B1F9214DF6 for ; Thu, 4 Nov 1999 10:19:51 -0800 (PST) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id KAA50123; Thu, 4 Nov 1999 10:19:35 -0800 (PST) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <199911041819.KAA50123@gndrsh.dnsmgr.net> Subject: Re: Firewall questions In-Reply-To: <199911041525.IAA06533@faith.cs.utah.edu> from David G Andersen at "Nov 4, 1999 08:25:32 am" To: danderse@cs.utah.edu (David G Andersen) Date: Thu, 4 Nov 1999 10:19:34 -0800 (PST) Cc: scott@computeralt.com (Scott I. Remick), freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > 4) How do I properly set up routes for a dual-homed firewall where both > > sides are within the same class C? This is the first time I've ever had to > > play with routing and gateways. > > Subnet them into /25's, or use RFC1918 addresses on the inside. Variable length subnet them into a /30 between the firewall and the outside router, use the rest inside. I generally don't put more than 32 or 64 IP's on one ethernet segment and don't use proxy arp or number virtuals (see ARIN guidlines on IP space usage). ifconfig_ed0="inet A.B.C.2 netmask 0xfffffffc" ifconfig_ed1="inet A.B.C.33 netmask 0xffffffe0" You can use the rest by routing them off someplace else later. You should also really do a proper IP space plan... -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message