From owner-freebsd-questions@FreeBSD.ORG Tue May 20 13:43:50 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 70006251 for ; Tue, 20 May 2014 13:43:50 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BEC9D26C8 for ; Tue, 20 May 2014 13:43:49 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s4KDhRi7058546; Tue, 20 May 2014 23:43:27 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 20 May 2014 23:43:27 +1000 (EST) From: Ian Smith To: Olivier Nicole Subject: Re: transparent bridge ~ firewall In-Reply-To: Message-ID: <20140520221724.P89611@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Jim Pazarena , freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2014 13:43:50 -0000 In freebsd-questions Digest, Vol 520, Issue 2, Message: 19 On Tue, 20 May 2014 11:59:27 +0700 Olivier Nicole wrote: Hi there Olivier, > Jim, > > > Is it possible to configure fbsd so that it passes traffic thru two > > nics "transparently", (with a third nic installed as the management IP)? > > > > So that firewall rules can be applied between those two transparent > > nics? Don't want NAT, don't want routing. Just firewall "allow", "drop", > > or re-direct. I'm not clear on what 're-direct' means in the context of a transparent bridge, if it's not doing any routing? But pressing on .. > > I purchased a device which uses debian to do this. I would like to > > see if I can duplicate the functions on FreeBSD, my OS of choice. > > I used to do that few years ago, using ip-firewall at that time > instead of ipfw, I can't remember the reason why, I think it was the > unavailability of layer 2 in IPFW at that time. If that was the reason, it must have been prior to Jan '94 when I built a transparent filtering bridge box for a local community technology centre using ipfw and dummynet on FreeBSD 4.8, later 4.10, between a satellite gateway/NAT/proxy box - largely outside our control - and our internal gateway / router for about a dozen machines, incl some wifi. All layer 2 except for the layer 3 management functions on the inside interface; ie it only needed 2 NICs, but you can use 3 if you want :) > I have switched to zeroshell since because I needed captive portal too > and neither monowall nor pf sense did offer captive portal on bridged > intefaces when I did the change. Not cluey on captive portals, but we had a fairly extensive firewall with dummynet shaping, plus local webserver/samba/etc, setup by a colleague, also running from the bridge box .. all the client boxes just ran from a switch. > I am pretty sure that monowall and pfsense do offer bridged interfaces. As does ipfw. I'd have to do some serious digging through backups to provide configuration detail, and that was with the older bridge.ko but will hunt if it might be useful. I recall at the time finding plenty on the web and in the handbook, along with, of course, ipfw(8) and some help from folks on -net, so it wasn't so difficult to get going well. http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/ Of course m0n0wall or pfsense may do everything needed, I wouldn't know. > Best regards, > > Olivier cheers, Ian