Hi Quentin,
> Internet access (border router). I intend to physically place a firewall > machine between the internal router and the border router. Some addresses that's a good placement. But be aware that you add one single point of failure (maybe a topic). > on the network must remain publicly addressable, primarily for services > from an ASP we use. All of the information I have found indicates that in > order for a Linux/ BSD machine to act as a stateful firewall (or any kind > of firewall for that matter), it must also be doing NAT translation. That No, I don't think so. At least OpenBSD does not need to do NAT for stateful inspection of pf. I don't know about linux but I think it can do stateful inspection without NAT, too. > assuming you need NAT as well, or is using it actually not avoidable? Based > on my simple explanation of the configuration, do any of you have > suggestions for firewall placement that may be better? Ideally, I would > purchase the firewall addon software for the internal Cisco router, but it > is too costly for my budget. I think, an OpenBSD Firewall is much better than Cisco addons but that is only my opinion. Perhaps you should configure the OpenBSD box as a bridge, so that it does not need any IP-address and therefore can't be attacked via the TCP/IP Stack. But this is only your friend, if you have console access. h2h Volker
