netbsd-help: Re: Networking problem.

Subject: Re: Networking problem.
To: Richard Rauch <rauch@rice.edu>
From: henry nelson <netb@irm.nara.kindai.ac.jp>
List: netbsd-help
Date: 11/30/2002 17:16:39
On Fri, Nov 29, 2002 at 11:00:49AM -0600, Richard Rauch wrote:
> > > addresses..."  But if it's really telling me that, I haven't figured out
> > > how I'm supposed to accomplish it.

AFAIK (and that's not very far!) in NetBSD there's only one way to use
all those static IP's and have firewalling at the same time.  I'd like
for someone to tell me I'm full of sh*t, BUT if you do, PLEASE have the
courtesy to at least tell us all _precisely_ how it's done with concrete
examples of configuration files.  (I am not talking about just plugging
six machines, each with its own static IP, into a hub and having each act
as its own firewall.  That is a possibility which might have a valid
application; I don't argue that.)

Someone already mentioned it, but don't you HAVE to do interface aliasing?
                                            ^^^^
So in your "ifconfig.rtk0" file for the NIC connected to the cable|DSL modem,
you have something like:
66.136.7.249 netmask 0xffffff00
66.136.7.250 netmask 0xffffffff alias
66.136.7.251 netmask 0xffffffff alias
66.136.7.252 netmask 0xffffffff alias
66.136.7.253 netmask 0xffffffff alias
66.136.7.254 netmask 0xffffffff alias

And then in "ipnat.conf" you use redirection as a number of people have
mentioned; something like:
rdr rtk0 66.136.7.249/0 port 25 -> 192.168.7.249 port 25 tcp/udp
rdr rtk0 66.136.7.250/0 port 80 -> 192.168.7.250 port 80 tcp/udp
rdr rtk0 66.136.7.251/0 port 8080 -> 192.168.7.251 port 8080 tcp/udp
rdr rtk0 66.136.7.252/0 port 22 -> 192.168.7.252 port 22 tcp/udp
rdr rtk0 66.136.7.253/0 port 23 -> 192.168.7.253 port 23 tcp/udp
rdr rtk0 66.136.7.254/0 port 53 -> 192.168.7.254 port 53 tcp/udp

Where "249" is your mail server, "250" is your webserver, "251" acts
as a web proxy, "252" runs an ssh daemon, "253" accepts telnet connections
(honeypot.com) and "254" is your name server.  Anything you don't redirect
goes to 66.136.7.249.  The one obvious drawback being that you're limited
to one set of ports even though you "appear" to have six machines on the
66.136.7.0 network.  I quote "appear" because anyone able to run the arp
command or get the arp statistics on 66.136.7.0 will immediately know what
you are doing since the physical interface (mac address) will be the same
for all 6 of the IP addresses.

There is nothing in this setup which limits the number of machines you
have within the range of one to 64000 machines.  (I think.)

<rant>
I wish you could give me one of those IPs.  My ISP wants to charge $250+
_a month_ to give me just one!  Fo-o-o-orge-e-e-e-et i-i-i-it, $50/month
for dhcp seems steep enough already.
</rant>

henry nelson