> Much to my dismay, my bosses have decided that we need a firewall.
> What really dismays me, however, is the fact that the network people
> appear unwilling or unable to provide us with a subnet for the
> machines that need to go behind the firewall.
> 
> My original plan was to start by turning a BSD box into a router, and
> then install ipf, and gradually crank down the security until we get
> something reasonable.  However, I don't know how to make this thing be
> a router if there aren't discrete subnets to route between.  Is it
> even possible to turn a BSD box into something like an ethernet
> repeater?
> 
> I was thinking that, if all else fails, I can run proxy ARP on it,
> with a static, manually-maintained table of ethernet addresses.  Then
> I could add a route for each of these hosts, pointing out the correct
> interface.
> 
The thing is: The IP stack can't forward between "illegal" subnets
(even if the routing table is able to handle it). What you can do to
make a simple solution is to have a "real" net number on one interface,
and a fake number on the other (10.0.0.1). Then you add static routes
for the machines on the fake interface. 
Arp can't be handled via the built-in arp functionality (it will reply
on the wrong interface), so you should get the arp daemon from
ftp://subzero.campus.luth.se/pub/arpd and configure it to give the correct
ethernet replys for the machines that are isolated from each other.
We use this to make a NetBSD router act like an IP bridge in many places.

-- Ragge