Date: Thu, 22 May 2014 01:55:51 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Olivier Nicole <olivier2553@gmail.com> Cc: Olivier Nicole <on@cs.ait.ac.th>, Jim Pazarena <fquest@paz.bz>, "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: transparent bridge ~ firewall Message-ID: <20140522011345.V89611@sola.nimnet.asn.au> In-Reply-To: <CA%2Bg%2BBvg7XGiB593QoXaXn42q5FQra2Y06ehuP4zBJP-kjTrhng@mail.gmail.com> References: <mailman.73.1400587201.90245.freebsd-questions@freebsd.org> <20140520221724.P89611@sola.nimnet.asn.au> <CA%2Bg%2BBvg7XGiB593QoXaXn42q5FQra2Y06ehuP4zBJP-kjTrhng@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 21 May 2014 10:26:24 +0700, Olivier Nicole wrote: > > > > So that firewall rules can be applied between those two transparent > > > > nics? Don't want NAT, don't want routing. Just firewall "allow", "drop", > > > > or re-direct. > > I'm not clear on what 're-direct' means in the context of a transparent > > bridge, if it's not doing any routing? But pressing on .. > > I don't know either, would have to ask the OP :) I kinda thought I was - but should have preceded that with [Jim] :) > > satellite gateway/NAT/proxy box - largely outside our control - and our > > internal gateway / router for about a dozen machines, incl some wifi. > > I am sure that was prior 2004. Or maybe just around, I remember it had ipfw2. Checking archives, I see that (the old) bridge.ko still had some issues back then, needed compiling into kernel and some arp magic. Anyway this is way too much nostalgia for many, I expect .. > > > I have switched to zeroshell since because I needed captive portal too > > > and neither monowall nor pf sense did offer captive portal on bridged > > > intefaces when I did the change. Just had another look at m0n0 again after many years, still looks great for small boxes like PCengines, Soekris and such, and considered pfsense to replace a Linux IPCop router more recently, but I'm about done being a volunteer sysadmin these days, and never came across zeroshell. > > Not cluey on captive portals, but we had a fairly extensive firewall > > with dummynet shaping, plus local webserver/samba/etc, setup by a > > colleague, also running from the bridge box .. all the client boxes just > > ran from a switch. > > Captive portal is the authentication for outgoing users: you open any > web page and get redirected to a login page, then the outgoing > firewall is open for your IP. Ah, right. Apart from bandwidth shaping and some port restriction those cats went largely unherded; they couln't get into too much mischief on a 256kbps sat down / 128kbps ISDN up link, in a small rural town otherwise limited to 56kbps dialup - though in retrospect it would've been useful. > > > I am pretty sure that monowall and pfsense do offer bridged interfaces. > > As does ipfw. I'd have to do some serious digging through backups to > > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/ > > I am mentioning monowall and pfsense because they are build on FreeBSd > and offer a simple and fully manageable configuration tool: for > someone not really sure how to bridge interfaces, using a tool with a > configuration interface may help. Indeed, agreed. Not hard to install and evaluate either fairly quickly. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140522011345.V89611>