Best IP configuration for OpenBSD firewall/router

[Damon McMahon <inst_karma () hotmail com>]

Greetings,

I'm in the process of configuring an old Pentium 75 MHz box to act as 
an OpenBSD firewall/gateway for my small office LAN on a 192.168.0.0/24 
subnet (I have some *BSD experience with MacOS X).

Presently a Windows 2000 Professional box is doing the job (using the 
inbuilt Internet Connection Sharing service) but for some time I 
haven't been convinced of the security of this configuration, and the 
recently announced Windows RPC flaw has spurred me into action! OK, 
that's enough background, my question is:

Is there any advantage of putting the firewall/gateway host on a 
different subnet - say, 192.168.1.0/24 - to the rest of the LAN, from a 
security perspective?

The easy option seems to put it on the same subnet, say 192.168.0.254 
(since 192.168.0.1 is already taken by the existing Windows 2000 
gatway); everything communicates with everything in this configuration.

However, part of me thinks it should be intentionally _difficult_ (from 
a security perspective) for the firewall/gateway box to communicate 
with the rest of the LAN.

Is that misguided?

If this is a good idea (gateway on separate subnet), then how should I 
configure the routing tables on the gateway and rest of the LAN so that 
everything routes correctly?

Thanks in advance for any assistance.



---------------------------------------------------------------------------
----------------------------------------------------------------------------