I have a situation where there are two default routes that need to be followed:
Local network is 192.168, default route gets to the Internet, but there's also a 10. network that provides important services to the local net. Right now the router is seeing packets destined for 10. and rerouting them through a particular 192.168 node that serves as a gateway to the 10. network (it's an IP address on a router that's not under our control that essentially can't be changed).
The big problem is that right now all traffic originating in the 10. network can get to our network. Unfortunately, this includes all kinds of worm traffic (the RPC vulnerability of months ago will still knock over any installed XP machine within 5 minutes, as an example, because the vendor doesn't understand the concept of patches.)
Anyway, I'm looking for the simplest way to firewall off the 10. networks while still making them available. Right now I'm leaning toward a FreeBSD box set to bridge the 192.168 networks, with a filter to only allow the traffic we need to pass.
Is there a simpler way? Any sexy way to use the Ultra 2 I just picked up on eBay in this role (probably better hardware than the cast-off x86 I had flagged for the role)? I'd love to use something like Mandrake's MNF, but have no experience with this sort of solution...
Which route would YOU take, and why?
Local network is 192.168, default route gets to the Internet, but there's also a 10. network that provides important services to the local net. Right now the router is seeing packets destined for 10. and rerouting them through a particular 192.168 node that serves as a gateway to the 10. network (it's an IP address on a router that's not under our control that essentially can't be changed).
The big problem is that right now all traffic originating in the 10. network can get to our network. Unfortunately, this includes all kinds of worm traffic (the RPC vulnerability of months ago will still knock over any installed XP machine within 5 minutes, as an example, because the vendor doesn't understand the concept of patches.)
Anyway, I'm looking for the simplest way to firewall off the 10. networks while still making them available. Right now I'm leaning toward a FreeBSD box set to bridge the 192.168 networks, with a filter to only allow the traffic we need to pass.
Is there a simpler way? Any sexy way to use the Ultra 2 I just picked up on eBay in this role (probably better hardware than the cast-off x86 I had flagged for the role)? I'd love to use something like Mandrake's MNF, but have no experience with this sort of solution...
Which route would YOU take, and why?