Classes of firewalls (based on IP utilization)

["list tracker" <list_tracker () hotmail com>]

So far, I have created the following types of firewalls:

1. One subnet (or even one IP) on the external interface, and another subnet 
of fake IPs on the internal, using NAT one <--> many.

2. One subnet of real IPs on the external, and one subnet of real IPs on the 
internal, with a next-hop route from the external subnet to the internal 
(said next hop route is set up on the router the firewall connects outwards 
to)

I am wondering what can be done if I want to use ONLY real IPs, but I also 
only want to use ONE subnet.  If I have a /24, with no subnets, and the 
router is .1, and the FW external is .2, and the FW internal is .3 and 
workstations are .4 - .254 ... is there a way to work this ?

My thought is that a static route will have to be created on the firewall 
for every single workstation IP being protected.

Is this correct?  Further, is it an appropriate way to solve this problem 
(given the constraints of no subnetting and no NAT) ?

Finally, are these the only three major ways of arranging IPs for 
firewalling - the three ways being:  NAT (one to many, or a combination of 
one to many and some to some), two subnets of real IPs - one announcing the 
next one, and what I just described: one subnet, static route for each IP on 
the other side of the FW.

Or are there some other, qualitatively different configurations ?

Any comments, especially those on the goodness/badness of what I have 
proposed (one subnet, lots of static routes) are appreciated.

thanks,

LT
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards