From owner-freebsd-questions@FreeBSD.ORG Wed May 21 15:56:09 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0F30C1D3 for ; Wed, 21 May 2014 15:56:09 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 569C723C5 for ; Wed, 21 May 2014 15:56:07 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s4LFtplw013052; Thu, 22 May 2014 01:55:51 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Thu, 22 May 2014 01:55:51 +1000 (EST) From: Ian Smith To: Olivier Nicole Subject: Re: transparent bridge ~ firewall In-Reply-To: Message-ID: <20140522011345.V89611@sola.nimnet.asn.au> References: <20140520221724.P89611@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: Olivier Nicole , Jim Pazarena , "freebsd-questions@freebsd.org" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2014 15:56:09 -0000 On Wed, 21 May 2014 10:26:24 +0700, Olivier Nicole wrote: > > > > So that firewall rules can be applied between those two transparent > > > > nics? Don't want NAT, don't want routing. Just firewall "allow", "drop", > > > > or re-direct. > > I'm not clear on what 're-direct' means in the context of a transparent > > bridge, if it's not doing any routing? But pressing on .. > > I don't know either, would have to ask the OP :) I kinda thought I was - but should have preceded that with [Jim] :) > > satellite gateway/NAT/proxy box - largely outside our control - and our > > internal gateway / router for about a dozen machines, incl some wifi. > > I am sure that was prior 2004. Or maybe just around, I remember it had ipfw2. Checking archives, I see that (the old) bridge.ko still had some issues back then, needed compiling into kernel and some arp magic. Anyway this is way too much nostalgia for many, I expect .. > > > I have switched to zeroshell since because I needed captive portal too > > > and neither monowall nor pf sense did offer captive portal on bridged > > > intefaces when I did the change. Just had another look at m0n0 again after many years, still looks great for small boxes like PCengines, Soekris and such, and considered pfsense to replace a Linux IPCop router more recently, but I'm about done being a volunteer sysadmin these days, and never came across zeroshell. > > Not cluey on captive portals, but we had a fairly extensive firewall > > with dummynet shaping, plus local webserver/samba/etc, setup by a > > colleague, also running from the bridge box .. all the client boxes just > > ran from a switch. > > Captive portal is the authentication for outgoing users: you open any > web page and get redirected to a login page, then the outgoing > firewall is open for your IP. Ah, right. Apart from bandwidth shaping and some port restriction those cats went largely unherded; they couln't get into too much mischief on a 256kbps sat down / 128kbps ISDN up link, in a small rural town otherwise limited to 56kbps dialup - though in retrospect it would've been useful. > > > I am pretty sure that monowall and pfsense do offer bridged interfaces. > > As does ipfw. I'd have to do some serious digging through backups to > > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/ > > I am mentioning monowall and pfsense because they are build on FreeBSd > and offer a simple and fully manageable configuration tool: for > someone not really sure how to bridge interfaces, using a tool with a > configuration interface may help. Indeed, agreed. Not hard to install and evaluate either fairly quickly. cheers, Ian