On 903981788 seconds since the Beginning of the UNIX epoch
nm wrote:
>
>Hello All,
>
>I am a college student living on campus.  In each dorm room there is an
>ethernet port on the wall.  I would like to set up a freebsd box and a 
>windows box behind a NetBSD firewall in my room, but I am not so sure that
>it can be done.

I believe that it can.

>Here is some background info:
>	q.r.s is the class c for the floor
>	q.r.s.1 is the gateway to the inet for the floor
>
>	q.r.s.27
>	q.r.s.28
>	q.r.s.201	these are the ip's that have been allocated to me.
>	q.r.s.202
>
>I have no control of the configuration of the campus router (q.r.s.1)
>
>I have two DEC ethernet cards in my Alpha (de0 and de1)
>
>
>|
>|				
>|---------[NetBSD]-------<hub>-----[windows and freebsd]
>|
>
>The address of the NIC in the NetBSD box that is on the campus network
>is q.r.s.202 (de1)  the one on the side of the internal network is
>q.r.s.201 (de0)
>
>After I have ifconfig'd the card I need to use route to set the static
>routes right?
>and after that I would prolly need to do some messing with the arp cache
>via arp right?
>
>Well I would think that after I have the proper routes set up that I could
>ping a host
>on the campus network from the netbsd box and i could also ping host on my
>internal network
>from the netbsd box right?

Basically, it looks like both of the interfaces are on the same
subnet. You might try `route -n show' to see which interface the
packets want to go out.  Most routing decisions are based on nets
and netmasks, and since you have two interfaces that are on the
same net there isn't really the info for which one to send the
packets out.

I solved a similar problem using ipf, and setting up rules such
as:

 # ifconfig de0 inet q.r.s.201 netmask 0xffffffff
 # ifconfig de1 inet q.r.s.202 netmask 0xffffff00
 # ipf -Ef -
 pass out on de1 to de0 from any to q.r.s.27
 pass out on de1 to de0 from any to q.r.s.28

(These rules may not be quite right, since I'm taking what I did
from memory.)

Something like this will allow you to speak to the internal machines.
If you want to get the firewall going (without access to the router),
you'll have to set up IPF to do the right thing with routing, and so
on.  Basically, what you want to do is set up your IPF rules to throw
all of the packets that need to end up on the internal machines
to de1 (in this example).  Then all you need to do is to get the firewall
to respond to arp's for the internal addresses (so that it gets the
packets.)  Then you have something that works a bit like a switching
hub.

One note is that if you want to use the routing extensively with IPF,
I would recommend that you upgrade to current, since there was a bug
in the code in NetBSD-1.3.1 (not sure about 1.3.2).

 == Roland
 == http://www.imrryr.org/~elric/