[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    ipfilter@cairo.anu.e
From:       Andrew Bergman <echoes () iprimus ! com ! au>
Date:       2002-09-20 12:13:46
[Download RAW message or body]

surely you would need four NICs, since a bridge should not have any IP
addresses on either of it's interfaces.

external network plugging into Bridge external interface
Bridge internal interface
with a patch cable into:
router external interface
and the last NIC being the internal interface for the router.

I would use OpenBSD for this rather than freebsd, personal preference.

Whether or not the system will run with the bridge and router being on the
same system is a different matter.

Also will make your IPfilter ruleset a lot bigger

My experience of that setup has been with two seperate systems

Andy


Antony Riley wrote:

> I'd like some people's opinion on the following firewall setup, if it's
> possible, and how to go about it:
>
>           <external network>
>                  |
>                  |
>           [Bridge Firewall]
>                  |
>                  |
>                <DMZ>
>                  |
>                  |
>         [NAT based Firewall]
>                  |
>                  |
>         <Private Office LAN>
>
> The above is quite simple to setup, with two seperate firewalls, but is
> it possible to set this up with one firewall, with three network cards ?
>
> One NIC on the (unfiltered) extenal network. (no configured IP Addresses)
>
> One NIC on the (filtered) DMZ. (one configured IP address, for NAT)
>
> One NIC on the Office LAN. (one configured IP address, for NAT)
>
> I'd like to know if it's possible to configure a FreeBSD box with
> IPFilter to do the combined job of both the bridging firewall, and the
> NAT based firewall, I know it's not easy, as I've attempted this before
> with OpenBSD 2.8, with disasterous results.
>
> Any thoughts / comments, on how to go about doing this ?
>
> Ok, it's not entirely applicable to this list, but I am using IPFilter ;)
>
> -Antony
>
> *************************************************************************
> This e-mail and any attachments may contain confidential or privileged
> information.  If you are not the intended recipient, please contact the
> sender immediately and do not use, store or disclose their contents.
> Any views expressed are those of the individual sender and not of Kinetic
> Information System Services Limited unless otherwise stated.
>
>                            www.kinetic.co.uk

[prev in list] [next in list] [prev in thread] [next in thread]