In message <w0vhhb8ru2.fsf@rupert.honors.montana.edu>  Chris Jones wrote:
> Much to my dismay, my bosses have decided that we need a firewall.
> What really dismays me, however, is the fact that the network people
> appear unwilling or unable to provide us with a subnet for the
> machines that need to go behind the firewall.
> 
> My original plan was to start by turning a BSD box into a router, and
> then install ipf, and gradually crank down the security until we get
> something reasonable.  However, I don't know how to make this thing be
> a router if there aren't discrete subnets to route between.  Is it
> even possible to turn a BSD box into something like an ethernet
> repeater?
> 
> I was thinking that, if all else fails, I can run proxy ARP on it,
> with a static, manually-maintained table of ethernet addresses.  Then
> I could add a route for each of these hosts, pointing out the correct
> interface.

You can forward stuff with ipf on an host by host basis using the 
'fastroute/froute/to' keyword (they all mean the same).
This bypasses the kernel routing.

Stefan

> 
> However, I haven't been able to get that to work; "netstat -nr" shows
> the host routes going out the correct interface, but the packets don't
> appear to go there.  I may have messed something up, though; I should
> probably hack on it some more.
> 
> If anybody has some advice for me, I'd really appreciate it.  Please
> CC: me, since I don't normally read this list.
> 
> Chris
> 
> -- 
> -----------------------------------------------------cjones@math.montana.edu
> Chris Jones                                          cjones@honors.montana.edu
>            Mad scientist at large                    cjones@nervana.montana.edu
> "Is this going to be a stand-up programming session, sir, or another bug hunt?"

--
Stefan Grefen                                Tandem Computers Europe Inc.
grefen@hprc.tandem.com                       High Performance Research Center
 --- Hacking's just another word for nothing left to kludge. ---