Wouldn't ipnat do what you want to do ? I.E. from outside,
just NetBSD box would be wisible; from inside, NetBSD would
act just like default gateway (i.e. normal router).
It's easy to do. I have done it for dial-out link, so
it should be possible for leased line as well. You won't even
need two IP adresses then.

Jarda


R. C. Dowdeswell wrote:
> 
> On 903981788 seconds since the Beginning of the UNIX epoch
> nm wrote:
> >
> >Hello All,
> >
> >I am a college student living on campus.  In each dorm room there is an
> >ethernet port on the wall.  I would like to set up a freebsd box and a 
> >windows box behind a NetBSD firewall in my room, but I am not so sure that
> >it can be done.
> 
> I believe that it can.
> 
> >Here is some background info:
> >	q.r.s is the class c for the floor
> >	q.r.s.1 is the gateway to the inet for the floor
> >
> >	q.r.s.27
> >	q.r.s.28
> >	q.r.s.201	these are the ip's that have been allocated to me.
> >	q.r.s.202
> >
> >I have no control of the configuration of the campus router (q.r.s.1)
> >
> >I have two DEC ethernet cards in my Alpha (de0 and de1)
> >
> >
> >|
> >|				
> >|---------[NetBSD]-------<hub>-----[windows and freebsd]
> >|
> >
> >The address of the NIC in the NetBSD box that is on the campus network
> >is q.r.s.202 (de1)  the one on the side of the internal network is
> >q.r.s.201 (de0)
> >
> >After I have ifconfig'd the card I need to use route to set the static
> >routes right?
> >and after that I would prolly need to do some messing with the arp cache
> >via arp right?
> >
> >Well I would think that after I have the proper routes set up that I could
> >ping a host
> >on the campus network from the netbsd box and i could also ping host on my
> >internal network
> >from the netbsd box right?
> 
> Basically, it looks like both of the interfaces are on the same
> subnet. You might try `route -n show' to see which interface the
> packets want to go out.  Most routing decisions are based on nets
> and netmasks, and since you have two interfaces that are on the
> same net there isn't really the info for which one to send the
> packets out.
> 
> I solved a similar problem using ipf, and setting up rules such
> as:
> 
>  # ifconfig de0 inet q.r.s.201 netmask 0xffffffff
>  # ifconfig de1 inet q.r.s.202 netmask 0xffffff00
>  # ipf -Ef -
>  pass out on de1 to de0 from any to q.r.s.27
>  pass out on de1 to de0 from any to q.r.s.28
> 
> (These rules may not be quite right, since I'm taking what I did
> from memory.)
> 
> Something like this will allow you to speak to the internal machines.
> If you want to get the firewall going (without access to the router),
> you'll have to set up IPF to do the right thing with routing, and so
> on.  Basically, what you want to do is set up your IPF rules to throw
> all of the packets that need to end up on the internal machines
> to de1 (in this example).  Then all you need to do is to get the firewall
> to respond to arp's for the internal addresses (so that it gets the
> packets.)  Then you have something that works a bit like a switching
> hub.
> 
> One note is that if you want to use the routing extensively with IPF,
> I would recommend that you upgrade to current, since there was a bug
> in the code in NetBSD-1.3.1 (not sure about 1.3.2).
> 
>  == Roland
>  == http://www.imrryr.org/~elric/
> 


-- 
Jaromir Dolecek <dolecek@ics.muni.cz>	http://www.ics.muni.cz/~dolecek/
-------------------------------------------------------------------------
It is better never to have been born.  But who among us has such luck?
One in a million, perhaps.