> ...it shouldn't matter (unless your ISP is doing something ghetto) in
> a typical home-lan situation where you're just going to IPNAT a /24
> of private space to a /32 of public space using ipf(8).

If you're trying to do filtering (ipf) as well as NAT (ipnat), it
matters.

> You don't even need two NIC's to do a firewall.

You do if you want any pretense of security, because otherwise an
"outside" host can talk directly to an "inside" host without going
through the firewall, which defeats the point of having it.

Yes, if the inside hosts are in non-routed space, it helps, but only
some.  If you're on a cable-modem, for example, anyone on your cable
segment is usually in the same broadcast domain as your external
interfaces and can speak directly to your inside hosts.  If you're on
DSL or dialup, it requires either subverting the ISP's gateway box or
incompetent administration on the ISP's part - but both are
depressingly plausible.

Of course, you could do it with one interface if you turn on vlan
trunking - but if you can afford a switch capable of vlans and
trunking, you can probably afford a second ethernet.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B