Re: NAT and DMZ-ing

["Clint M. Sand" <schwack_(_at_)_neotrance_(_dot_)_dyndns_(_dot_)_org>]

On Tue, Apr 15, 2003 at 10:44:34PM -0500, fringet1 wrote:
> Currently the company I work for is running a SonicWall firewall
> appliance for their firewall solution.  We are discussing switching over
> to a different solution.  I have been running and working with OpenBSD
> for about 2 yrs and love it of course.  The setup is they have an entire
> block of hot IP's and a about 175 - 200 clients internal.  A total of
> about 10 "servers".  All of which reside on a 192.168.1.xxx range the
> SonicWall acts as the DHCP Server and the split between the DMZ and the
> LAN.  The split is an actual connection on the SonicWall.  I have pretty
> much come up with a way to do everything except a secure solution to run
> the DMZ.  There is actually really only 1 Server that needs to be
> connected to the DMZ, but the issue is it has a large block of the hot
> subnet as its ip's for multiple websites.  It is a 2k server.
> Unfortunately I cannot change any of that because of company politics.
> I need a way to "DMZ" this server so that it is able to use those public
> ip's  but still have the ability to run the packets through pf.  In nat
> I don't see a way for that to work.  If I understand bridging bypasses
> the filter, <snip> 


...from man bridge:

NOTES
Bridged packets pass through pf(4) twice.  They can be filtered on
any interface, in both directions.  For stateful filtering, filtering 
on only one interface (using `keep state') and passing all traffic 
on the other interfaces is recommended.  

Or.. you can get a /32 from your isp and have them route that DMZ
server's public ip's to the /32. Or.. you could do 1 to 1 nat mappings
with binat rules and proxy arp for them to the DMZ. 

I have actually replaced a sonicwall before with openbsd for a customer.
Once i got their isp to understand subnetting *sigh*, they gave me a /32
for my router and firewall $ext_if and routed their existing range to
that. 

Clint