Correct way to configure an IP range for firewall
Al Plant
noc at hdk5.net
Wed Sep 9 19:14:48 UTC 2009
Maxim Khitrov wrote:
> Hello all,
>
> A quick question - I have a /29 block of IPs that needs to be handled
> by a firewall I'm setting up. Two addresses are lost to broadcast and
> network, one is the ISP gateway, so we end up with 5 usable IPs that
> can be assigned to the external interface. The question is how to do
> this correctly?
>
> I want only one of the addresses assigned to the firewall itself,
> another will be used as the public nat address for all hosts on the
> lan. Remaining three addresses will be used as bidirectional nat for
> servers.
>
> Am I correct in assuming that I just need to add four
> ifconfig_vr0_alias[0-3] lines to rc.conf? What happens if in the
> future we get a much bigger IP block, is there a more efficient way of
> accomplishing the same thing? I don't actually want the firewall to
> consider itself the final destination for any of the additional IPs,
> it just needs to pass them to pf for nat and filtering.
>
> - Max
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>
Aloha Max,
What you have sounds like an ATM ( Asynchronous Transfer Mode ) circuit.
I have one here that is for three servers a desktop and one spare IP.
I got the setup from Michael Paoli at cal.berkely.edu in California.
With setup I had to put firewalls (PF) on the three servers facing the
internet and the desktop as well. There are 2 references I used for this
firewall setup. Absolute FerrBSD - M. Lucas Pg. 273 and bsdly.bet Peter
Hansteen. Both are on this list.
If you would like to see the three sheets on how I set this up I can fax
them to you or email.
The setup for more IP's should be scalable but the IP's and default
route would change I would think. You could keep using /29 ATM blocks
and increase in increments with different IP's most likely with out
changing the first ones.
~Al Plant - Honolulu, Hawaii - Phone: 808-284-2740
+ http://hawaiidakine.com + http://freebsdinfo.org +
+ http://aloha50.net - Supporting - FreeBSD 6.* - 7.* - 8.* +
< email: noc at hdk5.net >
"All that's really worth doing is what we do for others."- Lewis Carrol
More information about the freebsd-questions
mailing list