Hello Quentin, Glad to hear your question, I recently had a similar question posed to me.
I recently created a 'transparent' firewall using OpenBSD 3.0 following the 'Memoirs of an Invisible Firewall' http://www.openlysecure.org/openbsd/how-to/invisible_firewall.html You'll also want to consult the Packet Filter section of the FAQ for rules. http://www.openbsd.com/faq/faq6.html#PF I have a few more links about PF rules but I'll have to dig for them. Shaun Sturby, MCSE Network Specialist Optrics Inc. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Optrics Inc. and FundSoft - Canadian Ipswitch Premier Partners Email: [EMAIL PROTECTED] Website: <http://www.optrics.com> Snail: Suite 100 4911 - 114 St. Edmonton, AB, Canada, T6H 3L5 Tel:(780) 466-6016 Toll Free: 1-877-386-3763 Fax:(780) 432-5630 Solutions for a Connected World: <http://www.optrics.com/linecard.htm> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----Original Message----- From: Quentin Hartman [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 12:31 PM To: [EMAIL PROTECTED] Subject: Seemingly obvious Linux / BSD firewall question Colleagues- I am in the process of securing a network that currently is wide open. There are several publicly addressable subnets connected via a Cisco router which is in turn connected to another router which is where we get our Internet access (border router). I intend to physically place a firewall machine between the internal router and the border router. Some addresses on the network must remain publicly addressable, primarily for services from an ASP we use. All of the information I have found indicates that in order for a Linux/ BSD machine to act as a stateful firewall (or any kind of firewall for that matter), it must also be doing NAT translation. That intuitively seems wrong, and would make this sort of configuration unusable to me. It seems that a netfilter configuration should be able to do this without doing the NAT translation. Is all the documentation simply written assuming you need NAT as well, or is using it actually not avoidable? Based on my simple explanation of the configuration, do any of you have suggestions for firewall placement that may be better? Ideally, I would purchase the firewall addon software for the internal Cisco router, but it is too costly for my budget. -Regards- -Q- ____________________________________________________________________________ _______ IMail Server has scanned this e-mail for viruses using Declude Virus from Optrics.com ___________________________________________________________________________________ IMail Server has scanned this e-mail for viruses using Declude Virus from Optrics.com
