From owner-freebsd-questions@FreeBSD.ORG Wed May 21 03:26:25 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C19F6191 for ; Wed, 21 May 2014 03:26:25 +0000 (UTC) Received: from mail-qg0-x22b.google.com (mail-qg0-x22b.google.com [IPv6:2607:f8b0:400d:c04::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8413921BF for ; Wed, 21 May 2014 03:26:25 +0000 (UTC) Received: by mail-qg0-f43.google.com with SMTP id 63so2255457qgz.16 for ; Tue, 20 May 2014 20:26:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=4hDo4a1u9YvgSQZ23mdfKlO+DMs8wEFOUWRHvxvNI8s=; b=0HkhAXDV0Bl7VdBqy0G9/+/ZppllFdreE3lX5OTxF7FNoZ59focebVFg5DtYH1+B0s Ul7zOLkBUxBkl1NzpYjvyT/VUnO3zPCwALgySf3wu5JdC6TtBwMfcjMOZ+9yaUPCZnpW 1oHIS0L8rhchJktcxZOfJBR4HxYgjpL4OpipTGj12W4FGFmWN+8SEbPzddOcgHYNtMXd g44O4ZIhiK8ixEfu8sxw5ZlWu6RC9FBD3ZaCrAHKWv3hiQy+Ekgpyy34h2KtNCUTYK/1 nfPXRDE24H7D+qG4V7WmpXy0yydOD2Ax7yPmm4Ks4Jch+UZpY+uBC9xILBfy79xPyA5N Bzcw== MIME-Version: 1.0 X-Received: by 10.140.19.133 with SMTP id 5mr62767329qgh.46.1400642784688; Tue, 20 May 2014 20:26:24 -0700 (PDT) Received: by 10.140.102.136 with HTTP; Tue, 20 May 2014 20:26:24 -0700 (PDT) In-Reply-To: <20140520221724.P89611@sola.nimnet.asn.au> References: <20140520221724.P89611@sola.nimnet.asn.au> Date: Wed, 21 May 2014 10:26:24 +0700 Message-ID: Subject: Re: transparent bridge ~ firewall From: Olivier Nicole To: Ian Smith Content-Type: text/plain; charset=UTF-8 Cc: Olivier Nicole , Jim Pazarena , "freebsd-questions@freebsd.org" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2014 03:26:25 -0000 Ian, > > > Is it possible to configure fbsd so that it passes traffic thru two > > > nics "transparently", (with a third nic installed as the management IP)? > > > > > > So that firewall rules can be applied between those two transparent > > > nics? Don't want NAT, don't want routing. Just firewall "allow", "drop", > > > or re-direct. > I'm not clear on what 're-direct' means in the context of a transparent > bridge, if it's not doing any routing? But pressing on .. I don't know either, would have to ask the OP :) > > > I purchased a device which uses debian to do this. I would like to > > > see if I can duplicate the functions on FreeBSD, my OS of choice. > > > > I used to do that few years ago, using ip-firewall at that time > > instead of ipfw, I can't remember the reason why, I think it was the > > unavailability of layer 2 in IPFW at that time. > > If that was the reason, it must have been prior to Jan '94 when I built > a transparent filtering bridge box for a local community technology > centre using ipfw and dummynet on FreeBSD 4.8, later 4.10, between a > satellite gateway/NAT/proxy box - largely outside our control - and our > internal gateway / router for about a dozen machines, incl some wifi. I am sure that was prior 2004. Or maybe just around, I remember it had ipfw2. > All layer 2 except for the layer 3 management functions on the inside > interface; ie it only needed 2 NICs, but you can use 3 if you want :) > > > I have switched to zeroshell since because I needed captive portal too > > and neither monowall nor pf sense did offer captive portal on bridged > > intefaces when I did the change. > > Not cluey on captive portals, but we had a fairly extensive firewall > with dummynet shaping, plus local webserver/samba/etc, setup by a > colleague, also running from the bridge box .. all the client boxes just > ran from a switch. Captive portal is the authentication for outgoing users: you open any web page and get redirected to a login page, then the outgoing firewall is open for your IP. > > I am pretty sure that monowall and pfsense do offer bridged interfaces. > As does ipfw. I'd have to do some serious digging through backups to > provide configuration detail, and that was with the older bridge.ko but > will hunt if it might be useful. I recall at the time finding plenty on > the web and in the handbook, along with, of course, ipfw(8) and some > help from folks on -net, so it wasn't so difficult to get going well. > > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/ I am mentioning monowall and pfsense because they are build on FreeBSd and offer a simple and fully manageable configuration tool: for someone not really sure how to bridge interfaces, using a tool with a configuration interface may help. Bests, Olivier