On Tue, 24 Oct 2000, Manuel Bouyer wrote:

[snip]

> Yes, that's it. But this is mandatory. Also if you let user log in you may
> want accounting.

Ahhh... drats!

[snip]

> What do you want to do with this machine exactly ?
> ipnat/ipf, or telnet/ssh/ftp/whatever gateway for internal or external users ?
> These 2 functionnalities should be on different machines. The ipnat/ipf machine
> is the one which protects your internal network so it should be as
> safe as possible. This implies no network services running on it, and
> management done only from console (and console in a safe place, of course).

Correct - this box will be ipf and ipnat'ing 3 external IP addresses to an
internal DMZ done.  Inside there will be my bastion hosts, connected to my
true internal networks via the typical choke router.

I was hoping to do something like bridging w/ipf - that way I wouldn't
have to assign the firewall box an IP addr, so I could be a bit happier
that the box was less likely to be cracked.  But, since NetBSD doesn't do
bridging yet, I'm stuck (I want to stay with NetBSD).  So ipf/ipnat sounds
like my only alternative.

As much as I don't like local spinning disks, maybe it's okay to do
here.  Thanks for the pointers and ideas.

-Jon
 --------------------------------------------------------------------
 "Trout are freshwater fish, and have underwater weapons."
 "Zing, zing zing zing!"
 "Keep away from the trout."
 -- The opinions expressed are not necesarily those of my employer --
 "Who stole my lawn?"