From owner-freebsd-questions@FreeBSD.ORG  Wed Sep  9 18:44:56 2009
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id AA6FA1065672
	for <freebsd-questions@freebsd.org>;
	Wed,  9 Sep 2009 18:44:56 +0000 (UTC)
	(envelope-from mkhitrov@gmail.com)
Received: from mail-yw0-f180.google.com (mail-yw0-f180.google.com
	[209.85.211.180])
	by mx1.freebsd.org (Postfix) with ESMTP id 6A6B18FC15
	for <freebsd-questions@freebsd.org>;
	Wed,  9 Sep 2009 18:44:55 +0000 (UTC)
Received: by ywh10 with SMTP id 10so9421911ywh.7
	for <freebsd-questions@freebsd.org>;
	Wed, 09 Sep 2009 11:44:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:from:date:message-id
	:subject:to:content-type;
	bh=O64Fvx1odP10e0pUihAnKKab4lm/c2UihJoxZsabfyM=;
	b=ZxDgV0sIUyzHRkLllA9tVUUFft4qfgp65UgccXyERYQIVXLcWtSU60ZrPPdLtY++os
	YcCID8E5TWe77v8CVAzN1gFI3Mj7U/aYNrvLjr0Hy1MqWW7K8xhVPI6SrpllAbOP9Isu
	wesIsvHPJqgurEhzEJMp5J26swQhTqBXdEtUo=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:from:date:message-id:subject:to:content-type;
	b=UGdJbTfVkFwh0UFjaxchdbTVtL0c3OW5m37/W/EXtDg/uOQxeMeqnP5rPWbWiRrV4S
	EuC5tPkwCQVT4DrVkLt5FGYFeIDD6M8CkgPKkX+VghkqGd47oEw9RXThPVmY6Es6xkSp
	W8+M4p+kG60V6kxOAg7tYdKwHnRskQ/hL29ws=
MIME-Version: 1.0
Received: by 10.91.26.7 with SMTP id d7mr334431agj.1.1252521895282; Wed, 09 
	Sep 2009 11:44:55 -0700 (PDT)
From: Maxim Khitrov <mkhitrov@gmail.com>
Date: Wed, 9 Sep 2009 14:44:35 -0400
Message-ID: <26ddd1750909091144x447fb4bt93e4bdc56d7a9202@mail.gmail.com>
To: Free BSD Questions list <freebsd-questions@freebsd.org>
Content-Type: text/plain; charset=UTF-8
Subject: Correct way to configure an IP range for firewall
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Sep 2009 18:44:56 -0000

Hello all,

A quick question - I have a /29 block of IPs that needs to be handled
by a firewall I'm setting up. Two addresses are lost to broadcast and
network, one is the ISP gateway, so we end up with 5 usable IPs that
can be assigned to the external interface. The question is how to do
this correctly?

I want only one of the addresses assigned to the firewall itself,
another will be used as the public nat address for all hosts on the
lan. Remaining three addresses will be used as bidirectional nat for
servers.

Am I correct in assuming that I just need to add four
ifconfig_vr0_alias[0-3] lines to rc.conf? What happens if in the
future we get a much bigger IP block, is there a more efficient way of
accomplishing the same thing? I don't actually want the firewall to
consider itself the final destination for any of the additional IPs,
it just needs to pass them to pf for nat and filtering.

- Max