Subject: Re: NetBSD-based repeater
To: Chris Jones <>
From: Stefan Grefen <>
List: tech-net
Date: 02/09/1999 22:40:25
In message <>  Chris Jones wrote:
> Much to my dismay, my bosses have decided that we need a firewall.
> What really dismays me, however, is the fact that the network people
> appear unwilling or unable to provide us with a subnet for the
> machines that need to go behind the firewall.
> My original plan was to start by turning a BSD box into a router, and
> then install ipf, and gradually crank down the security until we get
> something reasonable.  However, I don't know how to make this thing be
> a router if there aren't discrete subnets to route between.  Is it
> even possible to turn a BSD box into something like an ethernet
> repeater?
> I was thinking that, if all else fails, I can run proxy ARP on it,
> with a static, manually-maintained table of ethernet addresses.  Then
> I could add a route for each of these hosts, pointing out the correct
> interface.

You can forward stuff with ipf on an host by host basis using the 
'fastroute/froute/to' keyword (they all mean the same).
This bypasses the kernel routing.


> However, I haven't been able to get that to work; "netstat -nr" shows
> the host routes going out the correct interface, but the packets don't
> appear to go there.  I may have messed something up, though; I should
> probably hack on it some more.
> If anybody has some advice for me, I'd really appreciate it.  Please
> CC: me, since I don't normally read this list.
> Chris
> -- 
> Chris Jones                                
>            Mad scientist at large          
> "Is this going to be a stand-up programming session, sir, or another bug hunt?"

Stefan Grefen                                Tandem Computers Europe Inc.                       High Performance Research Center
 --- Hacking's just another word for nothing left to kludge. ---