Juergen Heberling wrote:
map em0 192.168.1.0/24 -> 220.127.116.11-10
.. snip ..
I tried your suggestion of using the cidr notation format and that work;
However I am concerned about overlapping mappings in the cidr range with
host-to-host maps - my cidr range is a /28, for example,
and I want to map (spoof) some IP address in the middle to, say the web
or mail servers. In order to avoid the overlap I was counting on the
"range" specification on the map command.
Well, my suggestion is not to exhaust your precious /28 address space
right away. And don't make your life unnecessary difficult, why choose
the addreses in the middle for bimap?
Rather than using all your external ip's right away I would save some
for later expansion, and reserve one for debugging. You may need to
connect a laptop on the external net to figure out what's going on. You
could do this: x.x.x.0/29 to servers (bimap), x.x.x.8/30 debug and
future expansion (not mapped), x.x.x.12/30 map for lan clients.
If you stick to cidr you can also write your filter rules in cidr making
it far easier to read an maintain.
For the mapping, and bimapping consider this:
The /24 network you want to map, it contains at most 254 hosts. If you
map that network to a single ip, then each host can establish at least
256 simultaneous connections. My experience is that this is far mor than
needed in most normal operating environments. I'd suggest using the same
ip as on the firewall external interface.
If the purpose of binatting is to make one service available, http say,
then you may consider using rdr. IIRC you can also use rdr to round
robin load balancing incoming connections.
That way you can have one host serving http and another serving smtp on
the same external ip. The only reason to use different ip's is if you're
hosting a number of https servers, each need a different ip.
There's no point in bimapping all ports on a external ip to one single
internal ip if most of them are blocked by the filter.
Ph: +34.666334818 web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
email@example.com mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"