Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 19 Apr 2005 01:53:21 -0500
From:      Ryan Stark <syah@io.com>
To:        freebsd-pf@freebsd.org
Subject:   Re: pf + bridge
Message-ID:  <20050419015321.2b893054.syah@io.com>
In-Reply-To: <20050418220237.GJ867@chimie.u-strasbg.fr>
References:  <72c3a957050411062060eea5cc@mail.gmail.com> <20050418220237.GJ867@chimie.u-strasbg.fr>

next in thread | previous in thread | raw e-mail | index | archive | help
--Signature=_Tue__19_Apr_2005_01_53_21_-0500_VrzMqbiUE4=xMrvN
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, 19 Apr 2005 00:02:37 +0200
Guy Brand <gb@isis.u-strasbg.fr> wrote:

> On 11 April at 13:20, Sergey Lyubka wrote:
>=20
> > I am trying to build a transparent filtering box.
> > Box is running freebsd 5.4, pf and bridge, this is
> > the setup:
>=20
>   FreeBSD has no support for pf in its bridge code. Neither has it
>   IPv6 support.
>=20
I have been using using FreeBSD & pf as a transparent bridge since 5.2.
(Before that, I was using OpenBSD & pf)

Mine looks something like this:

in
  |
  | fxp0, 0.0.0.0
 -----
|     |
|     |--- fxp1, (internal admin interface)
|     |
 -----
  |
  | fxp1, 0.0.0.0

cat /etc/sysctl.conf

#bridging enable for fxp0,fxp1
net.link.ether.bridge.config=3Dfxp0:0,fxp1:0
net.link.ether.bridge.enable=3D1

cat rc.conf

pflog_enable=3D"YES"   =20
# Set to YES to enable packet filter logging

pf_rules=3D"/etc/host.pf.conf" =20
# rules definition file for pf. different than default. mergemaster
# likes to clobber default

pflog_enable=3D"YES"   =20
# Set to YES to enable packet filter logging



ifconfig

fxp0: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500 options=3D48<VLAN_MTU,POLLING>
        ether 00:90:27:59:03:71
        media: Ethernet autoselect (10baseT/UTP)
        status: active
fxp1: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500 options=3D48<VLAN_MTU,POLLING>
        ether 00:a0:c9:d8:8f:b1
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

slightly dated, but fully functional <scrubbed> ruleset can be found
here:

http://www.io.com/sirius/pf.conf-3.3.example

Hope that might clear up any confusion.

With regards to Sergey's original question; I have not
played with the web proxy on the bridge, however I have used the
ftp proxy module on my NAT- gateway machine with no problems. Maybe
using there would work better?

--=20
Ryan Stark | syah io com
BOFH excuse #365:

parallel processors running perpendicular today


--Signature=_Tue__19_Apr_2005_01_53_21_-0500_VrzMqbiUE4=xMrvN
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFCZKrhzETXYDWf4IIRAil4AJwJGlObJDre5G0IR7HlgSEZQCB4/ACg1z2N
eahCdf9Wpqoo+93nkptMnFc=
=oBhc
-----END PGP SIGNATURE-----

--Signature=_Tue__19_Apr_2005_01_53_21_-0500_VrzMqbiUE4=xMrvN--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050419015321.2b893054.syah>