On Sat, 1 Jun 2002 @ 2:06pm (-0400), der Mouse wrote:

dM> > ...it shouldn't matter (unless your ISP is doing something ghetto) in
dM> > a typical home-lan situation where you're just going to IPNAT a /24
dM> > of private space to a /32 of public space using ipf(8).
dM>
dM> If you're trying to do filtering (ipf) as well as NAT (ipnat), it
dM> matters.
dM>
dM> > You don't even need two NIC's to do a firewall.
dM>
dM> You do if you want any pretense of security, because otherwise an
dM> "outside" host can talk directly to an "inside" host without going
dM> through the firewall, which defeats the point of having it.
dM>
dM> Yes, if the inside hosts are in non-routed space, it helps, but only
dM> some.  If you're on a cable-modem, for example, anyone on your cable
dM> segment is usually in the same broadcast domain as your external
dM> interfaces and can speak directly to your inside hosts.  If you're on
dM>

...right, which is where you need to be careful about what you refer to a
multihomed device on your network capable of policy routing traffic.

'router', 'gateway', 'firewall', etc.

even more complicating my argument is the inability to easily define
'sub-interfaces' w/ VIPs in *BSD, instead interface aliases are used, of
which ipf(8) does not honor in conf files (i.e., le0:this_ip le0:that_ip).

-lava

dM> DSL or dialup, it requires either subverting the ISP's gateway box or
dM> incompetent administration on the ISP's part - but both are
dM> depressingly plausible.
dM>
dM> Of course, you could do it with one interface if you turn on vlan
dM> trunking - but if you can afford a switch capable of vlans and
dM> trunking, you can probably afford a second ethernet.
dM>
dM> /~\ The ASCII				der Mouse
dM> \ / Ribbon Campaign
dM>  X  Against HTML	       mouse@rodents.montreal.qc.ca
dM> / \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
dM>