From owner-freebsd-pf@FreeBSD.ORG Sat Nov 19 00:16:51 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E0DB16A420 for ; Sat, 19 Nov 2005 00:16:51 +0000 (GMT) (envelope-from soren3@gmail.com) Received: from xproxy.gmail.com (xproxy.gmail.com [66.249.82.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 868A843D49 for ; Sat, 19 Nov 2005 00:16:50 +0000 (GMT) (envelope-from soren3@gmail.com) Received: by xproxy.gmail.com with SMTP id s8so333344wxc for ; Fri, 18 Nov 2005 16:16:50 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:from:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id; b=A2DgW8w+6RljTAkVv9EDP+11jlYMBLiwJQlhhnS40dRb4f68AKUz4p2uWeO22k2LVPbvAfHl8gVyY4e7q1d/DCu0pLOWUNCPj+I/qrInNjvzQ8hC5UtpBsrOxZfuHvV1eltMhKvgtcAjdlDvQl3zKZ1WFUtSJitaxU63SMSAny4= Received: by 10.65.148.6 with SMTP id a6mr431779qbo; Fri, 18 Nov 2005 16:16:49 -0800 (PST) Received: from vertov.inequality ( [200.165.8.240]) by mx.gmail.com with ESMTP id q17sm217257qbq.2005.11.18.16.16.48; Fri, 18 Nov 2005 16:16:49 -0800 (PST) From: Soren Worach To: freebsd-pf@freebsd.org Date: Fri, 18 Nov 2005 22:19:05 -0200 User-Agent: KMail/1.8.3 References: <437E088F.7080809@wombatsweb.com> <437E38EA.6050409@mantor.org> In-Reply-To: <437E38EA.6050409@mantor.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200511182219.05951.soren3@gmail.com> Subject: Re: Best practices for service provider? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Nov 2005 00:16:51 -0000 On Friday 18 November 2005 18:26, Danny Fullerrton wrote: > David Pierron wrote: > > This is a loaded question so please bear with me. I could really use > > the advice/help. > > > > I am coming from a FreeBSD 4.9 IPLess IPFW Bridging Firewall ... I > > had followed the directions from the FreeBSD Handbook ... Recently it > > crashed, so I had to rebuild it, uhm ... quickly ... > > > > This time I decided to include a 3rd NIC so that I could get the > > nightly emails and pay a bit better attention to its status ... It is > > working, but giving me some errors about arp: xx:xx:xx:xx:xx:xx is > > using my IP address my.c.class.xx! I have been scouring the Internet > > for information, and I decided to give PF a try ... I installed > > OpenBSD 3.8 but didn't like its CLI interface ... Not that I use a > > GUI, I don't ... I just hop around much better on FreeBSD ... > > > > I drew a picture of what I am envisioning as a firewall solution for > > me here: > > http://www.davidpierron.com/img/net-map.jpg > > > > I installed FreeBSD 6.0 and cvsup'd ports and src ... put the > > following into GENERIC: > > > > # to allow bridge support > > device if_bridge > > > > #PF > > device pf > > device pflog > > device pfsync > > > > #ALTQ > > options ALTQ > > options ALTQ_CBQ # Class Bases Queuing (CBQ) > > options ALTQ_RED # Random Early Detection (RED) > > options ALTQ_RIO # RED In/Out > > options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) > > options ALTQ_PRIQ # Priority Queuing (PRIQ) > > #options ALTQ_NOPCC # Required for SMP build > > > > # other stuff > > options IPSTEALTH > > options HZ=1000 > > > > I put the following into rc.conf: > > > > defaultrouter="my.c.class.1" > > hostname="firewall.foo.org" > > ifconfig_xl0="inet my.c.class.2 netmask 255.255.255.0" > > usbd_enable="NO" > > sendmail_enable="NO" > > > > cloned_interfaces="bridge0" # create a bridge > > ifconfig_bridge0="addm rl0 addm rl1" # set bridge to use particular NICs > > #gateway_enable="YES" > > > > pf_enable="YES" # Enable PF (load module if > > required) > > pf_rules="/etc/pf.conf" # rules definition file for pf > > pf_flags="" # additional flags for pfctl startup > > pflog_enable="YES" # start pflogd(8) > > pflog_logfile="/var/log/pflog" # where pflogd should store the > > logfile > > pflog_flags="" # additional flags for pflogd > > startup > > > > .. and into sysctl.conf: > > > > net.link.bridge.pfil_bridge=1 # enables packet filtering on bridge > > net.link.bridge.pfil_member=1 # enables packet filtering on in and > > out interfaces > > #net.inet.ip.forwarding=1 # instead of gateway_enable in rc.conf? > > > > I am running into one of two things ... Trying to find information > > that isn't widely available yet, or trying to figure this out from old > > posts that don't apply anymore ... The other thing going against me > > is that I haven't seen anything that resembles my setup ... I am not > > running any NAT ... I am using real world routable IP addresses ... I > > am assuming I need a 3rd NIC to be separate from the firewall ... > > You can use firewalled interface or bridge interface as normal interface > too. It's only depending on your config. You'll find lots of stuff on > google refering to a setup like yours but when searching for OpenBSD stuff. > > > From my recent readings of this lists archives, it doesn't seem that I > > would want to run a bridge ... It won't allow me to keep state ... > > If this is the case, how do I not assign the network cards that will > > be doing the filtering no ip address? I tried some interesting > > combinations with ifconfig in rc.conf, but they didn't work ... When > > I thought everything was up and running correctly, I put this box > > between my router and switch but traffic didn't flow ... I could ping > > internally, but could not ping the router's address which is the > > gateway (x.x.x.1) ... I assumed that the internal pinging was working > > on the 3rd NIC with the real IP address ... > > Statefull mode is working in bridge mode using OpenBSD PF. But I dont > known if it's presently the case with the FreeBSD implementation. it _is_ the case, pf supports statefull with bridging. I'm using 6.0 since betaX on a couple of setups like this. > > > My question is, can I use two NICs for PF to do firewalling on to put > > between the router and the switch and then plug the 3rd NIC in and > > have it act as a separate interface on the box, or should I simply use > > 2 NICs and assign them real IP addresses ... If I do that, will > > IPSTEALTH compiled into the kernel not show the presence of the > > filtering? > > As I said, you could use this kind of setup (3 card to keep it simple > logic) or ,while using 2 interface in bridge mode, use 1 of them with an > internal ip address (bridge and standard). > > > I think I have successfully confused myself with redundant or old > > information out there on the 'net, so again ... any suggestions or > > advice on what I am trying to accomplish would be greatly appreciated. please post your pf.conf. > > > > Thank you for reading, > > David Pierron > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > You should begin by playing with Packet Filter while being in bridge > mode and gradually including feature like the management ip/interface > before going to far and not understanding. > > Danny Fullerton > ---------------------- > IT Security Specialist > dfullerton@mantor.org > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"