>>>>> "Paul" == Paul B Dokas <dokas@cs.umn.edu> writes:
    Paul> I've got to map these spare IP addresses to *internal* machines
    Paul> such that the firewall will allow *bi*directional traffic.  That
    Paul> is, packets created at an internal machine go through the firewall
    Paul> and always appear as if they came from the same machine.  And
    Paul> in-bound packets from the Internet, need to be passed through the
    Paul> firewall and aways get routed to the same internal machine.

  Most basic way is to give these machines aliases which are their 10.x
addresses and do, 
	"route add -host A.B.C.Q 10.0.0.Q"
and:	"arp -s FI:RE:WA:EX:TE:RN A.B.C.Q"

  on the firewall. Then just set up normal firewall rules. It has been
awhile since I tried to do this.
  The alternative is that you need to do real bridging.

  One trick is going to be making sure that the internal machines use their
external address when talking to the world.

    Paul> Just in case you're wondering, I plan to set up highly selective
    Paul> filters at the firewall so that these statically mapped internal
    Paul> machines will only talk to a very few select computers on the
    Paul> Internet.  And then only a few ports on each internal machine will
    Paul> be visible.  Yea, yea, I know, "Yuck!".  Unfortunately, I don't
    Paul> have a choice. :-( I would create VPNish tunnels to accomplish
    Paul> this, but that's also not an option.

  If you can arrange for custom applications, then you can solve the source
address problem with bind(2).

]      Out and about in Ottawa.    hmmm... beer.                |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [