Date: Wed, 09 Sep 2009 09:14:46 -1000 From: Al Plant <noc@hdk5.net> To: Maxim Khitrov <mkhitrov@gmail.com> Cc: Free BSD Questions list <freebsd-questions@freebsd.org> Subject: Re: Correct way to configure an IP range for firewall Message-ID: <4AA7FEA6.70603@hdk5.net> In-Reply-To: <26ddd1750909091144x447fb4bt93e4bdc56d7a9202@mail.gmail.com> References: <26ddd1750909091144x447fb4bt93e4bdc56d7a9202@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Maxim Khitrov wrote: > Hello all, > > A quick question - I have a /29 block of IPs that needs to be handled > by a firewall I'm setting up. Two addresses are lost to broadcast and > network, one is the ISP gateway, so we end up with 5 usable IPs that > can be assigned to the external interface. The question is how to do > this correctly? > > I want only one of the addresses assigned to the firewall itself, > another will be used as the public nat address for all hosts on the > lan. Remaining three addresses will be used as bidirectional nat for > servers. > > Am I correct in assuming that I just need to add four > ifconfig_vr0_alias[0-3] lines to rc.conf? What happens if in the > future we get a much bigger IP block, is there a more efficient way of > accomplishing the same thing? I don't actually want the firewall to > consider itself the final destination for any of the additional IPs, > it just needs to pass them to pf for nat and filtering. > > - Max > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > Aloha Max, What you have sounds like an ATM ( Asynchronous Transfer Mode ) circuit. I have one here that is for three servers a desktop and one spare IP. I got the setup from Michael Paoli at cal.berkely.edu in California. With setup I had to put firewalls (PF) on the three servers facing the internet and the desktop as well. There are 2 references I used for this firewall setup. Absolute FerrBSD - M. Lucas Pg. 273 and bsdly.bet Peter Hansteen. Both are on this list. If you would like to see the three sheets on how I set this up I can fax them to you or email. The setup for more IP's should be scalable but the IP's and default route would change I would think. You could keep using /29 ATM blocks and increase in increments with different IP's most likely with out changing the first ones. ~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740 + http://hawaiidakine.com + http://freebsdinfo.org + + http://aloha50.net - Supporting - FreeBSD 6.* - 7.* - 8.* + < email: noc@hdk5.net > "All that's really worth doing is what we do for others."- Lewis Carrol
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AA7FEA6.70603>