ipfw - accessing DMZ from LAN

[Chuck Swiger]

On Aug 9, 2011, at 6:45 AM, Marek Salwerowicz wrote:
> W dniu 2011-08-09 15:26, Chuck Swiger pisze:
>> dummynet (or Altq, or whatever else you might be using) works fine with pure routing config, yes-- you don't have to NAT traffic to do bandwidth control on the router.
> 
> How it should be done?
> Leave the aliases at my external interface, and then 'bridge' DMZ interface with external and set up public IPs on my DMZ hosts?

You don't need to do NAT aliasing if you make your DMZ hosts directly routable-- you just need to do firewall and bandwidth shaping.  If your provider is cooperative, then their end and your external NIC (vr3?) can switch to communicate over an unroutable /30 subnet, and your FreeBSD box's DMZ NIC (vr2) is reconfigured with the public router IP they are now vending.

If they aren't willing to make such changes, then yes, you could bridge between vr3 and vr2 instead; you need to set the net.link.ether.bridge_ipfw=1 sysctl for IPFW to act on bridged traffic.

There are more complicated solutions which could also work, but there doesn't seem to be a need for them.  IMO, it's cleaner and more efficient to explicitly route between networks off of a firewall than it is to permit subnet-local broadcast traffic to pass thru the firewall.  

Regards,
-- 
-Chuck