FreeBSD has a number of firewall options, each if which as far as I know
works just fine without NAT. In fact, I had much more trouble getting NAT
working under FreeBSD than I did getting ipfw working.
I think the reason all the tutorials assume you'll be using NAT is that
people tend to use BSD for cheap routers for home networks rather than
anything else.

Tom
----- Original Message -----
From: "Jimmy" <[EMAIL PROTECTED]>
To: "Quentin Hartman" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, June 05, 2002 10:12 PM
Subject: Re: Seemingly obvious Linux / BSD firewall question


>
> That is posible using OpenBSD as the firewall, with FreeBSD I am not sure,
> in Linux I am more or less  sure can not do that, it always asume NAT.
>
> --JImmy
>
> On Tue, 4 Jun 2002, Quentin Hartman wrote:
>
> > Colleagues-
> > I am in the process of securing a network that currently is wide open.
> > There are several publicly addressable subnets connected via a Cisco
router
> > which is in turn connected to another router which is where we get our
> > Internet access (border router). I intend to physically place a firewall
> > machine between the internal router and the border router. Some
addresses
> > on the network must remain publicly addressable, primarily for services
> > from an ASP we use. All of the information I have found indicates that
in
> > order for a Linux/ BSD machine to act as a stateful firewall (or any
kind
> > of firewall for that matter), it must also be doing NAT translation.
That
> > intuitively seems wrong, and would make this sort of configuration
unusable
> > to me. It seems that a netfilter configuration should be able to do this
> > without doing the NAT translation. Is all the documentation simply
written
> > assuming you need NAT as well, or is using it actually not avoidable?
Based
> > on my simple explanation of the configuration, do any of you have
> > suggestions for firewall placement that may be better? Ideally, I would
> > purchase the firewall addon software for the internal Cisco router, but
it
> > is too costly for my budget.
> >
> > -Regards-
> >      -Q-
> >
>

Reply via email to