[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT and DMZ-ing
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: NAT and DMZ-ing
- From: "Clint M. Sand" <schwack_(_at_)_neotrance_(_dot_)_dyndns_(_dot_)_org>
- Date: Wed, 16 Apr 2003 00:08:42 -0500
On Tue, Apr 15, 2003 at 10:44:34PM -0500, fringet1 wrote:
> Currently the company I work for is running a SonicWall firewall
> appliance for their firewall solution. We are discussing switching over
> to a different solution. I have been running and working with OpenBSD
> for about 2 yrs and love it of course. The setup is they have an entire
> block of hot IP's and a about 175 - 200 clients internal. A total of
> about 10 "servers". All of which reside on a 192.168.1.xxx range the
> SonicWall acts as the DHCP Server and the split between the DMZ and the
> LAN. The split is an actual connection on the SonicWall. I have pretty
> much come up with a way to do everything except a secure solution to run
> the DMZ. There is actually really only 1 Server that needs to be
> connected to the DMZ, but the issue is it has a large block of the hot
> subnet as its ip's for multiple websites. It is a 2k server.
> Unfortunately I cannot change any of that because of company politics.
> I need a way to "DMZ" this server so that it is able to use those public
> ip's but still have the ability to run the packets through pf. In nat
> I don't see a way for that to work. If I understand bridging bypasses
> the filter, <snip>
...from man bridge:
Bridged packets pass through pf(4) twice. They can be filtered on
any interface, in both directions. For stateful filtering, filtering
on only one interface (using `keep state') and passing all traffic
on the other interfaces is recommended.
Or.. you can get a /32 from your isp and have them route that DMZ
server's public ip's to the /32. Or.. you could do 1 to 1 nat mappings
with binat rules and proxy arp for them to the DMZ.
I have actually replaced a sonicwall before with openbsd for a customer.
Once i got their isp to understand subnetting *sigh*, they gave me a /32
for my router and firewall $ext_if and routed their existing range to
Visit your host, monkey.org