On Wed, Mar 24, 2010 at 09:08:48PM -0400, Geoff wrote: > I'm trying to set up spamd on my firewall system. > > The configuration is tricky because my upstream provider > (Verizon) only gives me 5 IPs, all on the same subnet. > > The firewall system is acting as a bridge and as a router. <SNEEP>
I think you're taking the wrong approach here by including a bridge. Configure the interface with the default route to have all 5 IP addresses. Configure the hosts to be protected by the firewall, but reachable by the public internet to be on one or more subnets within the RFC 1918 space. Use rdr rules (or the newer equivalent) for the SPECIFIC access required by from the public internet. Use nat rules for the specific access they need to the public internet. *IF* you do that you can use relayd or some of the fancier rdr rules to load balance across multiple backend hosts. You can also use one IP address to service multiple services that are actually provided by multiple backend boxes if the load demands such separation. -- Chris Dukes