Maybe I'm missing the point here, but it seems that in this case it
would be
more appropriate to forget about packet filters altogether, and use BM
as a
proxy server.

By enabling transparent proxy all traffic (even that generated by your

"savvy" users - unless they can re-direct their traffic to another
local
proxy server) will be captured and forced throught the proxy.

And in that scenario, one NIC would work just fine.


"Jim Michael" <jkmichael@myrealbox.com> wrote in message
news:3E289034.89E99F64@myrealbox.com...
> James wrote:
> >
> > We just want
> > this server to control who gets out to the internet and what

access they
> > have when they get there. Can I not do this with one nic and a

secondary
ip
> > address?

>
> No, with only a single NIC in the server users can simply bypass

this
server
> and get straight out to the internet.
>
> > Do I have to have 2 physical nics in the servers?

>
> Yes. Unless you were to configure the internet router to only accept


packets
> from the BM server, but what's the point? Adding a NIC is easy.
>
> >The users default
> > gateway is the bm server, the bm servers gateway is the internet

router.
I
> > use default filters and add filters as needed like ftp pop3 etc,

it
seems
> > simple in theory. This is obviously my first try at setting up a

bm
server.
>
> But a savvy user can simply point their default gateway at the

internet
> router and thus totally bypass BM. The correct configuration is to

have
two
> NICs in the server.. one designated as "private" and the other as

"public."
> The private NIC connects to the LAN, and the public NIC connects to

your
> internet router (and the internet router no longer connects to the

LAN).
NOW
> the BM server is the only way to get to the internet, and you can

positively
> control all access through it.
>
> Since you're new to BM, I highly recommend you check out the good

books at
> http://nscsysop.hypermart.net
>
> --
> Jim
> NSC Sysop