Hi, I am hoping this is an ok question for this list. I believe it is. I have just never thought about doing something like this before and it is likely totally child's play to many of you guys. :) I am using a FreeBSD 4.11 IPFW firewall on a ADSL connection. I want to be able to take advantage of "Static NAT" So as I understand it I need this firewall machine to have another external IP that I can use to hard tie in with a local machine. But can I do this without setting up another nic? So is it possible to use DHCP to get an IP alias? In the case of our DSL provider I am guessing it would not be possible because of just having one MAC address. But I know just enough about networking to get by, so I could be totaly wrong about that. Is there a better way to allow this internal machine to have its own IP but still be firewalled? But then if I am doing this, am I really firewalling anything anyway if all of the ports are redirected to the internal machine anyway? More specifics on what I am talking about is on http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html under the the heading "25.8.5 Address Redirection" Thanks, Eric Lead Programmer D.M. Contact Management 250.383.8267 ext 229
On Tue, Jun 28, 2005 at 12:24:42PM -0700 I heard the voice of Eric Frazier, and lo! it spake thus:
But can I do this without setting up another nic? So is it possible to use DHCP to get an IP alias?
I don't think it is (I tried it a while back). I've heard there are some tricks you can do to sweet-talk it, but I don't know them. You could try manually adding the alias to it after DHCP brings up the main address, maybe. But that leads into the NAT-or-not below...
Is there a better way to allow this internal machine to have its own IP but still be firewalled?
Well, you can NAT it, or you can give it the address and route it. If you route it, you can either do it by having your upstream route that address through your firewall box explicitly, or you can proxy ARP it (this all assumes, of course, that the upstream has already allocated you the IP; otherwise it's academic). I tend to prefer routing the address over NAT where possible; I've had to do too much fiddling with boxes that were addressed by a number they didn't really know was them. You can firewall the packets passing through the machine whether or not you NAT. And for a simple setup like this, doing a proxy ARP would probably be easier than trying to get the upstream routing table right. -- Matthew Fuller (MF4839) | fullermd@over-yonder.net Systems/Network Administrator | http://www.over-yonder.net/~fullermd/ On the Internet, nobody can hear you scream.
I am using a FreeBSD 4.11 IPFW firewall on a ADSL connection.
Is there a better way to allow this internal machine to have its own IP but still be firewalled? But then if I am doing this, am I really firewalling anything anyway if all of the ports are redirected to the internal machine anyway?
More specifics on getting an answer to your support issue is on http://www.freebsd.org/support.html under the heading "Mailing Lists".
participants (3)
-
Eric Frazier
-
Matthew D. Fuller
-
Michael.Dillonļ¼ btradianz.com