Subject: Re: Firewalling made difficult
To: Paul B Dokas <>
From: Patrick Welche <>
List: tech-net
Date: 08/04/1999 11:27:17
Paul B Dokas wrote:
> But, I've now got a block of IP addresses (8 to be exact) and I've got
> to make a few changes. With 8 addresses, I've got 5 usable for machines,
> one of which gets assigned to the firewall, leaving 4 more. This is where
> it gets sticky.
> I've got to map these spare IP addresses to *internal* machines such that
> the firewall will allow *bi*directional traffic. That is, packets created
> at an internal machine go through the firewall and always appear as if they
> came from the same machine. And in-bound packets from the Internet, need
> to be passed through the firewall and aways get routed to the same internal
> machine.
In other words these 5 ip addresses are real, so why bother with ipnat?
Will something like
pass in quick on outside_iface from any to realip/mask_for_block
as an ipf filter rule with similar for outbound do? And maybe see what
"fastroute" does? As you can see, I'm not very good at this business either!