Date: Fri, 18 Nov 2005 22:19:05 -0200 From: Soren Worach <soren3@gmail.com> To: freebsd-pf@freebsd.org Subject: Re: Best practices for service provider? Message-ID: <200511182219.05951.soren3@gmail.com> In-Reply-To: <437E38EA.6050409@mantor.org> References: <437E088F.7080809@wombatsweb.com> <437E38EA.6050409@mantor.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday 18 November 2005 18:26, Danny Fullerrton wrote: > David Pierron wrote: > > This is a loaded question so please bear with me. I could really use > > the advice/help. > > > > I am coming from a FreeBSD 4.9 IPLess IPFW Bridging Firewall ... I > > had followed the directions from the FreeBSD Handbook ... Recently it > > crashed, so I had to rebuild it, uhm ... quickly ... > > > > This time I decided to include a 3rd NIC so that I could get the > > nightly emails and pay a bit better attention to its status ... It is > > working, but giving me some errors about arp: xx:xx:xx:xx:xx:xx is > > using my IP address my.c.class.xx! I have been scouring the Internet > > for information, and I decided to give PF a try ... I installed > > OpenBSD 3.8 but didn't like its CLI interface ... Not that I use a > > GUI, I don't ... I just hop around much better on FreeBSD ... > > > > I drew a picture of what I am envisioning as a firewall solution for > > me here: > > http://www.davidpierron.com/img/net-map.jpg > > > > I installed FreeBSD 6.0 and cvsup'd ports and src ... put the > > following into GENERIC: > > > > # to allow bridge support > > device if_bridge > > > > #PF > > device pf > > device pflog > > device pfsync > > > > #ALTQ > > options ALTQ > > options ALTQ_CBQ # Class Bases Queuing (CBQ) > > options ALTQ_RED # Random Early Detection (RED) > > options ALTQ_RIO # RED In/Out > > options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) > > options ALTQ_PRIQ # Priority Queuing (PRIQ) > > #options ALTQ_NOPCC # Required for SMP build > > > > # other stuff > > options IPSTEALTH > > options HZ=1000 > > > > I put the following into rc.conf: > > > > defaultrouter="my.c.class.1" > > hostname="firewall.foo.org" > > ifconfig_xl0="inet my.c.class.2 netmask 255.255.255.0" > > usbd_enable="NO" > > sendmail_enable="NO" > > > > cloned_interfaces="bridge0" # create a bridge > > ifconfig_bridge0="addm rl0 addm rl1" # set bridge to use particular NICs > > #gateway_enable="YES" > > > > pf_enable="YES" # Enable PF (load module if > > required) > > pf_rules="/etc/pf.conf" # rules definition file for pf > > pf_flags="" # additional flags for pfctl startup > > pflog_enable="YES" # start pflogd(8) > > pflog_logfile="/var/log/pflog" # where pflogd should store the > > logfile > > pflog_flags="" # additional flags for pflogd > > startup > > > > .. and into sysctl.conf: > > > > net.link.bridge.pfil_bridge=1 # enables packet filtering on bridge > > net.link.bridge.pfil_member=1 # enables packet filtering on in and > > out interfaces > > #net.inet.ip.forwarding=1 # instead of gateway_enable in rc.conf? > > > > I am running into one of two things ... Trying to find information > > that isn't widely available yet, or trying to figure this out from old > > posts that don't apply anymore ... The other thing going against me > > is that I haven't seen anything that resembles my setup ... I am not > > running any NAT ... I am using real world routable IP addresses ... I > > am assuming I need a 3rd NIC to be separate from the firewall ... > > You can use firewalled interface or bridge interface as normal interface > too. It's only depending on your config. You'll find lots of stuff on > google refering to a setup like yours but when searching for OpenBSD stuff. > > > From my recent readings of this lists archives, it doesn't seem that I > > would want to run a bridge ... It won't allow me to keep state ... > > If this is the case, how do I not assign the network cards that will > > be doing the filtering no ip address? I tried some interesting > > combinations with ifconfig in rc.conf, but they didn't work ... When > > I thought everything was up and running correctly, I put this box > > between my router and switch but traffic didn't flow ... I could ping > > internally, but could not ping the router's address which is the > > gateway (x.x.x.1) ... I assumed that the internal pinging was working > > on the 3rd NIC with the real IP address ... > > Statefull mode is working in bridge mode using OpenBSD PF. But I dont > known if it's presently the case with the FreeBSD implementation. it _is_ the case, pf supports statefull with bridging. I'm using 6.0 since betaX on a couple of setups like this. > > > My question is, can I use two NICs for PF to do firewalling on to put > > between the router and the switch and then plug the 3rd NIC in and > > have it act as a separate interface on the box, or should I simply use > > 2 NICs and assign them real IP addresses ... If I do that, will > > IPSTEALTH compiled into the kernel not show the presence of the > > filtering? > > As I said, you could use this kind of setup (3 card to keep it simple > logic) or ,while using 2 interface in bridge mode, use 1 of them with an > internal ip address (bridge and standard). > > > I think I have successfully confused myself with redundant or old > > information out there on the 'net, so again ... any suggestions or > > advice on what I am trying to accomplish would be greatly appreciated. please post your pf.conf. > > > > Thank you for reading, > > David Pierron > > _______________________________________________ > > freebsd-pf@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > > You should begin by playing with Packet Filter while being in bridge > mode and gradually including feature like the management ip/interface > before going to far and not understanding. > > Danny Fullerton > ---------------------- > IT Security Specialist > dfullerton@mantor.org > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200511182219.05951.soren3>