> 
> Just to be 100% certain: If I bought a seperate *switch* and hooked it in
> (via my hub's uplink circuit?), no packets would go to my ISP if they were
> known to be destined for one of my LAN ports.  Yes?

Yes, that's the way a switch is supposed to work.  However, some simple
tricks will put a switch in promiscuous mode, so it acts just like a
hub.  You can't count on a switch providing security.

> 
> 
> > which you could implement on each host.  If you still want or need an
> > overall fire wall, you could
> >
> > 	- Configure one machine as a packet-filtering bridge, between
> 
> I was beginning to think that this sounded like something that might be
> suitable for "bridges", though I've never really dealt with them before.
> I seem to recall that people were talking about adding bridge capability
> to NetBSD.  I thought that it was in -current, and might be in 1.6---but
> from what you say, I guess I was wrong (or if it's in -current, now, it
> got added after 1.6?).

1.6 has bridging capability, but can't filter packets going through
the bridge.

> 
> For the time and trouble to figure out OpenBSD for this box, I might as
> well buy a little DSL router, yes?  Would that take care of all of my
> worries (without putting me back to NAT)?  (^&

The DSL router would do the NAT automatically, most likely.  It's "easy",
but your don't have much control over it.  As far as "figuring out" 
OpenBSD, if you know NetBSD, that would take all of, oh, fifteen minutes.
OpenBSD is just a NetBSD heresy, after all.

> 
> (I am unsure if it would, since I can't get NetBSD's DHCP to talk to my
> ISP, and I don't know how flexible those little dedicated DSL routers
> are...)

You may need to broadcast a hostname in your DHCP request.  It's been a
while since I screwed around with DHCP ...

> 
> 
> > 	- Go back to the NAT set-up, give one static address to the
> > 	  external interface of your gateway, and give its internal
> > 	  one and your other systems 192.168.0.0/16, 172.16.0.0/12,
> > 	  or 10.0.0.0/8 addresses.  Then assign the rest of your
> > 	  static addresses as aliase the the gateway's external
> > 	  interface, and use ipnat's "bimap" directive to map those
> > 	  aliases to the addresses of you NAT-ed machines.
> 
> Hm.  I'd thought of going back to NAT, but didn't know I could remap the
> addresses this way.  That looks like an interesting option.

DNS in this set-up dan be kind of tricky, if you want to access
your machines from the internal network by their external IP addresses.
But whether through individual host file, YP, or split-horizon DNS, it's
do-able.


David S.