[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: newbie advice question - pf in front of multiple comps...



On Dec 1, 2004, at 11:43 AM, b h wrote:

okay, ignore most of my question - I'm sorry I didn't
figure this before posting (another recent msg on misc
got me to look at this) - looks like binat is what I
want.

Your original message said the protected servers would have publicly routable addresses, hence the bridge. If you're using RFC1918 addresses instead, then yes, you want binat.


But I'm still confused how the firewall gets these
packets to begin with - is the firewall supposed to
have aliased all the external address?

You can alias them if they're on the same public interface as your primary address, or you can have them on a dedicated interface. If you're going to have more than one IP per interface, you'll need aliases.


ie, doing binat similar to the following...
xx.xx.xx.3 -> 10.10.10.3
xx.xx.xx.4 -> 10.10.10.4

http://www.openbsd.org/faq/pf/nat.html#binat


and the firewall will have (in hostname.fxp0 for ex.)

inet xx.xx.xx.3 0xffffff00 NONE
inet alias xx.xx.xx.4 0xffffff00 NONE

http://www.openbsd.org/faq/faq6.html#Setup


Please read the FAQ and manpages. They are quite good, and would have answered all of your questions. We're here to help, but you need to try and help yourself too. :)

HTH.

--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net