Re: firewall without nat

[Rickard Borgmäster <doktorn_(_at_)_sub_(_dot_)_nu>]

On 21 Jan 2003 10:28:00 -0800
Bryan Irvine <bryan_(_dot_)_irvine_(_at_)_kingcountyjournal_(_dot_)_com> hit the keyboard and
punched:

> Is it possible to do firewalling without NAT (he asked knowingly).
> 
> How is this done?
> I'm going to be replacing an old linux firewall with an openbsd one
> (preferably) but those machines need to be acessable via the outside
> world (web servers mail servers, etc etc...).   
> 
> --Bryan

First of all, OpenBSD does not NAT unless you set it up to do NAT.

Second, it depends if you have one public network[1], or more. If you have
have separate ip networks for the physical networks you need to protect,
just assign each interface the ip adress and netmask, and make sure
routing is enabled. From there you may start building a firewall ruleset.

If you only have one public ip net, then you need static nat ('binat').
This is the way I run it. I have one /27 net, from which I assign all the
ip addresses to OBSD FW external interface. Then I use binat to map one
external ip to the internal ip. That way, the inside host can be reached
from internet and all connections made from internal host will appear as
coming from that host ip.

[1] ie. routable addresses.

-- 

Rickard

                                               .--.        .--.
.----------------------------------------.     |  |        |  | .-.
|           Rickard Borgmäster           |     |  |        |  |/  /
|             doktorn_(_at_)_sub_(_dot_)_nu             |   .-^  |  .--.  |     <
|         http://doktorn.sub.nu/         |  (  o  | ( () ) |  |\  \
`----------------------------------------'  `-----'  `--'  `--' `--'