Date: Fri, 2 Oct 1998 22:30:33 +1200 (NZST) From: Andrew McNaughton <andrew@squiz.co.nz> To: ark@eltex.ru Cc: agalindo@servidor.exsocom.com.mx, kim@tinker.com, freebsd-security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: Firewall with 2 NIC and a NET class C Message-ID: <Pine.BSF.4.01.9810022211530.321-100000@aniwa.sky> In-Reply-To: <199810020908.NAA21458@paranoid.eltex.spb.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm still getting to grips with this stuff, so please correct me if I've got it wrong. On Fri, 2 Oct 1998 ark@eltex.ru wrote: > Alejandro Galindo Chairez AGALINDO <agalindo@servidor.exsocom.com.mx> said : > > > > You have a couple of ways to approach this. You could use network address > > > translation and have private addresses for all your machines. The "public" > > > machines would have static mappings to real IP addresses that are aliased > > > on the outside interface of the firewall. You would also use ipfw rules to > > > control the traffic. > > > > ok i like the idea to have static mappings to real IP addrs. that are > > aliased on the out interface, how can i do that? > > It is definitely BAD idea. It breaks any reasonable security policy. Care to elaborate? What sort of security measure does this prevent or weaken? I imagine a setup where firewall has route entries directing the real IPs of the servers to their addresses in the private address space, and those machines have the real IPs mapped onto their loopback interface. So long as the firewall has rules to prevent spoofed packets appearing to come from the private address space, and otherwise blocks all but the necessary traffic, it seems this should work. Earlier discussion of splitting the class C network of real IPs seemed wasteful. Even if all the machines behind the firewall were to have real IPs, why waste half of them on the connection from the outside router to the firewall. Those interfaces could use private IPs even if nothing else did. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9810022211530.321-100000>