From owner-freebsd-pf@FreeBSD.ORG Tue Apr 19 06:53:25 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DF9316A4CE for ; Tue, 19 Apr 2005 06:53:25 +0000 (GMT) Received: from ms-smtp-02-eri0.texas.rr.com (ms-smtp-02.texas.rr.com [24.93.47.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8380743D45 for ; Tue, 19 Apr 2005 06:53:24 +0000 (GMT) (envelope-from syah@io.com) Received: from lemuria (cpe-68-206-102-46.satx.res.rr.com [68.206.102.46]) j3J6rLe1015244 for ; Tue, 19 Apr 2005 01:53:22 -0500 (CDT) Date: Tue, 19 Apr 2005 01:53:21 -0500 From: Ryan Stark To: freebsd-pf@freebsd.org Message-Id: <20050419015321.2b893054.syah@io.com> In-Reply-To: <20050418220237.GJ867@chimie.u-strasbg.fr> References: <72c3a957050411062060eea5cc@mail.gmail.com> <20050418220237.GJ867@chimie.u-strasbg.fr> X-Mailer: Sylpheed version 1.9.7 (GTK+ 2.6.4; i386-portbld-freebsd5.4) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA1"; boundary="Signature=_Tue__19_Apr_2005_01_53_21_-0500_VrzMqbiUE4=xMrvN" X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: Re: pf + bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Apr 2005 06:53:25 -0000 --Signature=_Tue__19_Apr_2005_01_53_21_-0500_VrzMqbiUE4=xMrvN Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, 19 Apr 2005 00:02:37 +0200 Guy Brand wrote: > On 11 April at 13:20, Sergey Lyubka wrote: >=20 > > I am trying to build a transparent filtering box. > > Box is running freebsd 5.4, pf and bridge, this is > > the setup: >=20 > FreeBSD has no support for pf in its bridge code. Neither has it > IPv6 support. >=20 I have been using using FreeBSD & pf as a transparent bridge since 5.2. (Before that, I was using OpenBSD & pf) Mine looks something like this: in | | fxp0, 0.0.0.0 ----- | | | |--- fxp1, (internal admin interface) | | ----- | | fxp1, 0.0.0.0 cat /etc/sysctl.conf #bridging enable for fxp0,fxp1 net.link.ether.bridge.config=3Dfxp0:0,fxp1:0 net.link.ether.bridge.enable=3D1 cat rc.conf pflog_enable=3D"YES" =20 # Set to YES to enable packet filter logging pf_rules=3D"/etc/host.pf.conf" =20 # rules definition file for pf. different than default. mergemaster # likes to clobber default pflog_enable=3D"YES" =20 # Set to YES to enable packet filter logging ifconfig fxp0: flags=3D8943 mtu 1500 options=3D48 ether 00:90:27:59:03:71 media: Ethernet autoselect (10baseT/UTP) status: active fxp1: flags=3D8943 mtu 1500 options=3D48 ether 00:a0:c9:d8:8f:b1 media: Ethernet autoselect (100baseTX ) status: active slightly dated, but fully functional ruleset can be found here: http://www.io.com/sirius/pf.conf-3.3.example Hope that might clear up any confusion. With regards to Sergey's original question; I have not played with the web proxy on the bridge, however I have used the ftp proxy module on my NAT- gateway machine with no problems. Maybe using there would work better? --=20 Ryan Stark | syah io com BOFH excuse #365: parallel processors running perpendicular today --Signature=_Tue__19_Apr_2005_01_53_21_-0500_VrzMqbiUE4=xMrvN Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCZKrhzETXYDWf4IIRAil4AJwJGlObJDre5G0IR7HlgSEZQCB4/ACg1z2N eahCdf9Wpqoo+93nkptMnFc= =oBhc -----END PGP SIGNATURE----- --Signature=_Tue__19_Apr_2005_01_53_21_-0500_VrzMqbiUE4=xMrvN--