From owner-freebsd-questions@FreeBSD.ORG Wed May 21 16:28:25 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 08BC2D5C for ; Wed, 21 May 2014 16:28:25 +0000 (UTC) Received: from mail-qc0-f177.google.com (mail-qc0-f177.google.com [209.85.216.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B755326A9 for ; Wed, 21 May 2014 16:28:23 +0000 (UTC) Received: by mail-qc0-f177.google.com with SMTP id i17so3531245qcy.8 for ; Wed, 21 May 2014 09:28:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=/4Ff8QbCQs60LQSv7Zrslu5ZF1F5AZI+miL7m5N/70M=; b=YBkWEJFRMBAg66DJk2Bl2LHznkDW6qG500NV23CVVz8JWMJXE2Tu33hiFm3hxJOCYu KsJ6J+/JIsgaEDeuH55pu776mfRnY5VtZ1NvHH/nfhvTdNYkUvLiCy21Ed2RTkd7jQ/O 4WcOaohNLehbtrpJndLhKQujsUdAE2Bcz+BLjHJIskHk/zFyD1x2Nr2UQT776EWOffuK ySxQzrEJ4ToD0P8sXOajmvYupfCmwTZNa+ckpjljZS9tiD50UB4tRzz9MJ+w/ghPOJ8I ASKWRcgtwku8GFRNvj5NVJ7q9xnLou5k9L8cnR+ASjYSueodL+RuMxHVY7ZWktJSBzVN vuCA== X-Gm-Message-State: ALoCoQmsBkxar/qvN/7AwmlbR7C69jeMTEC1mW4OkearXxf/Pze4GKss8UVVvIaHaPqWLQylDfVN MIME-Version: 1.0 X-Received: by 10.140.83.73 with SMTP id i67mr13187887qgd.22.1400689702789; Wed, 21 May 2014 09:28:22 -0700 (PDT) Received: by 10.224.111.15 with HTTP; Wed, 21 May 2014 09:28:22 -0700 (PDT) X-Originating-IP: [70.209.201.42] Received: by 10.224.111.15 with HTTP; Wed, 21 May 2014 09:28:22 -0700 (PDT) In-Reply-To: <20140522011345.V89611@sola.nimnet.asn.au> References: <20140520221724.P89611@sola.nimnet.asn.au> <20140522011345.V89611@sola.nimnet.asn.au> Date: Wed, 21 May 2014 09:28:22 -0700 Message-ID: Subject: Re: transparent bridge ~ firewall From: "Brian W." To: Ian Smith Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18 Cc: Olivier Nicole , Jim Pazarena , Olivier Nicole , "freebsd-questions@freebsd.org" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 May 2014 16:28:25 -0000 Pfsense comes to mind as a good way to do this. Dummynet is also an option. Bw On May 21, 2014 8:56 AM, "Ian Smith" wrote: > On Wed, 21 May 2014 10:26:24 +0700, Olivier Nicole wrote: > > > > > > So that firewall rules can be applied between those two > transparent > > > > > nics? Don't want NAT, don't want routing. Just firewall "allow", > "drop", > > > > > or re-direct. > > > I'm not clear on what 're-direct' means in the context of a > transparent > > > bridge, if it's not doing any routing? But pressing on .. > > > > I don't know either, would have to ask the OP :) > > I kinda thought I was - but should have preceded that with [Jim] :) > > > > satellite gateway/NAT/proxy box - largely outside our control - and > our > > > internal gateway / router for about a dozen machines, incl some wifi. > > > > I am sure that was prior 2004. Or maybe just around, I remember it had > ipfw2. > > Checking archives, I see that (the old) bridge.ko still had some issues > back then, needed compiling into kernel and some arp magic. Anyway this > is way too much nostalgia for many, I expect .. > > > > > I have switched to zeroshell since because I needed captive portal > too > > > > and neither monowall nor pf sense did offer captive portal on > bridged > > > > intefaces when I did the change. > > Just had another look at m0n0 again after many years, still looks great > for small boxes like PCengines, Soekris and such, and considered pfsense > to replace a Linux IPCop router more recently, but I'm about done being > a volunteer sysadmin these days, and never came across zeroshell. > > > > Not cluey on captive portals, but we had a fairly extensive firewall > > > with dummynet shaping, plus local webserver/samba/etc, setup by a > > > colleague, also running from the bridge box .. all the client boxes > just > > > ran from a switch. > > > > Captive portal is the authentication for outgoing users: you open any > > web page and get redirected to a login page, then the outgoing > > firewall is open for your IP. > > Ah, right. Apart from bandwidth shaping and some port restriction those > cats went largely unherded; they couln't get into too much mischief on a > 256kbps sat down / 128kbps ISDN up link, in a small rural town otherwise > limited to 56kbps dialup - though in retrospect it would've been useful. > > > > > I am pretty sure that monowall and pfsense do offer bridged > interfaces. > > > As does ipfw. I'd have to do some serious digging through backups to > > > > > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/ > > > > I am mentioning monowall and pfsense because they are build on FreeBSd > > and offer a simple and fully manageable configuration tool: for > > someone not really sure how to bridge interfaces, using a tool with a > > configuration interface may help. > > Indeed, agreed. Not hard to install and evaluate either fairly quickly. > > cheers, Ian > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >