From owner-freebsd-security Thu Oct 1 12:09:40 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA14250 for freebsd-security-outgoing; Thu, 1 Oct 1998 12:09:40 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from peak.mountin.net (peak.mountin.net [207.227.119.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA14244; Thu, 1 Oct 1998 12:09:36 -0700 (PDT) (envelope-from jeff-ml@mountin.net) Received: (from daemon@localhost) by peak.mountin.net (8.9.1/8.9.1) id OAA24213; Thu, 1 Oct 1998 14:09:09 -0500 (CDT) Received: from harkol-87.isdn.mke.execpc.com(169.207.64.215) by peak.mountin.net via smap (V1.3) id sma024211; Thu Oct 1 14:08:48 1998 Message-Id: <3.0.3.32.19981001140720.0077bf10@207.227.119.2> X-Sender: jeff-ml@207.227.119.2 X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Thu, 01 Oct 1998 14:07:20 -0500 To: Alejandro Galindo Chairez AGALINDO From: "Jeffrey J. Mountin" Subject: Re: Firewall with 2 NIC and a NET class C Cc: questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: References: <36132D71.39FCD5A3@tinker.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 10:11 AM 10/1/98 -0500, Alejandro Galindo Chairez AGALINDO wrote: >On Thu, 1 Oct 1998, Kim Shrier wrote: > >> You have a couple of ways to approach this. You could use network address >> translation and have private addresses for all your machines. The "public" >> machines would have static mappings to real IP addresses that are aliased >> on the outside interface of the firewall. You would also use ipfw rules to >> control the traffic. > >ok i like the idea to have static mappings to real IP addrs. that are >aliased on the out interface, how can i do that? > >> >> Another approach is to split your class C into subnets, one subnet for the >> outside interface and the other for the inside interface, and then set up >> ipfw rules and routes in the firewall to control the traffic. > >ok in this case i can setup my outside network like a half class C (mask >255.255.255.128) with the next ips: 208.195.117.1 - 208.195.117.127, and >the inside net with the ips 208.195.117.129 - 208.195.117.254. If you are using nat you don't need "real" IPs on the internal interface. You could use private IPs on the internal interface and map them to the real IPs on the external interface. As pointed out you can do the mapping: External Internal 208.195.117.1 208.195.117.129 208.195.117.2 208.195.117.130 etc or with private addresses: 208.195.117.1 192.168.117.1 208.195.117.2 192.168.117.2 etc In either case you need to alias a number of IPs on the external interface, but using private addresses doubles what you can use and you don't have to subnet. Otherwise there is no difference on how it's done, but just to make it clear before you do this. 8-) >Actually, the external router's ethernet port now is 208.195.117.2 with a >mask /25, i will need to change the mask here too? and if yes, why the >router indicate to me invalida mask /25? (the router is a CISCO 4000). conf t ip subnet-zero wr mem Without this you cannot use any .0 subnet and in this case would waste a few addresses. >Other questions: > > I think if its posible to connect the firewall directly with the >Router (without a hub) with a cross cable dos it work? or is necesary to >use the hub? Yes. A cross cable will work. Jeff Mountin - Unix Systems TCP/IP networking jeff@mountin.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message