For the most part, the NAT capabilities in the 675 work, but the amount of
stuff you can really do with it sucks.

I was using an AMD 486 overclocked to 160mhz with 2 3c905b's in it for
awhile.  Most linux distributions include all of the IP masquerading modules
already, so you just have to read the IP-masq howto and basically copy the
config that's in there.  If you want to run any servers behind the firewall,
you will need to get ipmasqadm so you can do port forwarding.  There is also
a PPTP module that you will need if you plan on establishing a VPN
connection from your inside network to somewhere else on the net.  There are
modules to handle just about every weird protocol with the linux solution,
including FTP, ICQ, and quake.  

I'm using a cisco 3640 with the IOS firewall feature set now, but it kinda
sucks compared to the linux box.  I just picked up a PIX 520 though, so
we'll see how that works.  Cisco still doesn't have a fixup for PPTP.  As
long as I can pass IPSec through the PIX, I'll be fine though.  :)  I may
eventually end up switching back to the linux box because it's much more
configurable than just about any other solution.

Jay

> -----Original Message-----
> From: Adam Maloney [mailto:adamm at sihope.com]
> Sent: Friday, November 17, 2000 5:11 PM
> To: tclug-list at lists.real-time.com
> Subject: Re: [TCLUG] To firewall or not to firewall...
> 
> 
> I've never tried it using something other than 10.0.0.x/24, 
> but in CBOS
> 2.3.x at least it lets you specify the internal IP address, 
> which would
> lead me to believe that you could use any address space on 
> the inside that
> you wanted.  But again, I've never tried it so I don't know.  
> There were
> enhancements to it's translation features listed on the CBOS 
> 2.3 release
> notes, so maybe they did implement true NAT.
> 
> Adam Maloney
> Systems Administrator
> Sihope Communications
> 
> On Fri, 17 Nov 2000, Bob Tanner wrote:
> 
> > Quoting Adam Maloney (adamm at sihope.com):
> > > I wouldn't have a problem using the 675 to do the NAT, 
> but I wouldn't use
> > > it as the firewall just because it's not 
> powerful/configurable enough.  I
> > > have a routed block so I'm not doing NAT, but none of my 
> customers have
> > > any problems with it.  Some of them are even doing some 
> pretty complicated
> > > static NAT entries.
> > 
> > Unless things have changed the 675 does not do NAT, it only 
> does PAT, thus it
> > forces you to have an intern LAN of 10.0.0.1.
> > -- 
> > Bob Tanner <tanner at real-time.com>       | Phone : (612)943-8700
> > http://www.mn-linux.org                 | Fax   : (612)943-8500
> > Key fingerprint =  6C E9 51 4F D5 3E 4C 66 62 A9 10 E5 35 85 39 D9 
> > 
> > _______________________________________________
> > tclug-list mailing list
> > tclug-list at lists.real-time.com
> > https://mailman.real-time.com/mailman/listinfo/tclug-list
> > 
> 
> _______________________________________________
> tclug-list mailing list
> tclug-list at lists.real-time.com
> https://mailman.real-time.com/mailman/listinfo/tclug-list
>