Date: Wed, 08 Mar 2006 14:12:25 -0000 From: Martin Tournoy <carpetsmoker@gmail.com> To: freebsd-questions@freebsd.org Subject: Network bridge with IPFW, can't get it working Message-ID: <op.s53lqzxsipwu61@anyhost.anywhere>
next in thread | raw e-mail | index | archive | help
------------YvCboJyJeV8VGPuvOTohgh Content-Type: text/plain; format=flowed; delsp=yes; charset=us-ascii Content-Transfer-Encoding: 8bit Here's the situation: I work at a computer repair shop, as we all know viruses, ad-ware and other mal-ware is a huge problem in the windows world, and a lot of people come to us to have their pc's cleaned up. Some of those programs spread themselves actively, or are used as "zombie computers", which is somewhat of a problem for us because it can infect other PCs on the net, also our ISP (temporarily) shut us down some time ago for security reasons. We have a firewall on our router, but it only blocks incoming traffic from the net, which makes life a bit easyer because we don't have to open up ports for all kind of programs all the time. Since we more or less need internet on infected PC's (to download virus-scanners, updates, etc.), I'm trying to setup a bridge with a firewall (IPFW), which should separate filter any bad traffic before it goes to the internet. Problem is, it doesn't work(which is secure, but not quite what I intended). The bridge works fine, if I shut down IPFW (or tell IPFW to allow everything) I have network access, so no problems there... If I scan for DHCP servers, It finds the server and DNS, but doesn't get an IP-adress (?!) for some reason, no matter what I do... My rc.firewall is attached, I made it as simple as possible, complexity and spiffy features can always be added later, let's get the thing working first... I would really appreciate it if someone looked over it, there are probably errors in there. What the REAL problem is, is that I'm a real novice at firewalls, and some things really confuse me, more specifically: - The 'bridged' keyword, does it HAVE to be added to every rule? or is it just recommended? or just specific rules? - Which ports do I need to open? I think I have all I need now (DHCP, DNS, http, https, ping), maybe there's some hidden port I forgot? - Should I use PF? (Is it easyer for a novice?) - Should I just setup a separate LAN? Bridging seems simpler, but doesn't seem to be very common/well documented... I don't think it matters, but just in case: I'm using two 3Com 3C905B-TX NIC's (xl) My uname -a is: FreeBSD filtershit.ictwerkplaats.org 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE #0: Wed Feb 22 12:47:58 UTC 2006 carpetsmoker@.ictwerkplaats.org:/usr/obj/usr/src/sys/FILTERSHIT i387 ------------YvCboJyJeV8VGPuvOTohgh Content-Disposition: attachment; filename=rc.firewall Content-Type: application/octet-stream; name=rc.firewall Content-Transfer-Encoding: Base64 IyEvYmluL3NoCgojIEJyaWRnZSwgcHJvdGVjdCBvbmUgc2lkZSAoeGwwKSBmcm9t IHRoZSBvdGhlciAoeGwxKSwgcHJldmVudCBhbGwgdHJhZmljIGdvaW5nIGZyb20g eGwxIHRvIHhsMC4KCiMgRmx1c2ggb3V0IHRoZSBsaXN0IGJlZm9yZSB3ZSBiZWdp bi4KaXBmdyAtcSAtZiBmbHVzaAoKIyBTZXQgcnVsZXMgY29tbWFuZCBwcmVmaXgK Y21kPSJpcGZ3IC1xIGFkZCIKcGlmPSJ4bDAiCgojIE5vIHJlc3RyaWN0aW9ucyBv biBJbnNpZGUgTEFOIEludGVyZmFjZSBmb3IgcHJpdmF0ZSBuZXR3b3JrCiRjbWQg MDA1IGFsbG93IGFsbCBmcm9tIGFueSB0byBhbnkgdmlhIHhsMSBicmlkZ2VkCgoj IE5vIHJlc3RyaWN0aW9ucyBvbiBMb29wYmFjayBJbnRlcmZhY2UKJGNtZCAwMTAg YWxsb3cgYWxsIGZyb20gYW55IHRvIGFueSB2aWEgbG8wCgojIEFsbG93IG91dCBh Y2Nlc3MgdG8gbXkgSVNQJ3MgRG9tYWluIG5hbWUgc2VydmVyLgokY21kIDAyMCBh bGxvdyB0Y3AgZnJvbSBhbnkgdG8gMTk0LjEwOS42LjY2IDUzIHZpYSAkcGlmIGJy aWRnZWQKJGNtZCAwMjEgYWxsb3cgdWRwIGZyb20gYW55IHRvIDE5NC4xMDkuNi42 NiA1MyB2aWEgJHBpZiBicmlkZ2VkCgojIEFsbG93IG91dCBhY2Nlc3MgdG8gbXkg SVNQJ3MgREhDUCBzZXJ2ZXIgZm9yIGNhYmxlL0RTTCBjb25maWd1cmF0aW9ucy4K JGNtZCAwMzAgYWxsb3cgdWRwIGZyb20gYW55IHRvIDE5Mi4xNjguMTAwLjEgNjcg dmlhICRwaWYgYnJpZGdlZAokY21kIDAzMSBhbGxvdyB1ZHAgZnJvbSBhbnkgdG8g MTkyLjE2OC4xMDAuMSA2OCB2aWEgJHBpZiBicmlkZ2VkCgojIEFsbG93IG91dCBu b24tc2VjdXJlIHN0YW5kYXJkIHd3dyBmdW5jdGlvbgokY21kIDA0MCBhbGxvdyB0 Y3AgZnJvbSBhbnkgdG8gYW55IDgwIHZpYSAkcGlmIGJyaWRnZWQKCiMgQWxsb3cg b3V0IHNlY3VyZSB3d3cgZnVuY3Rpb24gaHR0cHMgb3ZlciBUTFMgU1NMCiRjbWQg MDUwIGFsbG93IHRjcCBmcm9tIGFueSB0byBhbnkgNDQzIHZpYSAkcGlmIGJyaWRn ZWQKCiMgQWxsb3cgcGluZwokY21kIDA4MCBhbGxvdyBpY21wIGZyb20gYW55IHRv IGFueSB2aWEgJHBpZiBicmlkZ2VkCgojIERlbnkgYW55IGxhdGUgYXJyaXZpbmcg cGFja2V0cwokY21kIDMzMCBkZW55IGFsbCBmcm9tIGFueSB0byBhbnkgZnJhZyBp biB2aWEgJHBpZgoKIyBBbGxvdyB0cmFmZmljIGZyb20gbXkgREhDUCBzZXJ2ZXIu CiRjbWQgMzYwIGFsbG93IHRjcCBmcm9tIDE5Mi4xNjguMTAwLjEgdG8gYW55IDY4 IHZpYSAkcGlmIGJyaWRnZWQKJGNtZCAzNjEgYWxsb3cgdWRwIGZyb20gMTkyLjE2 OC4xMDAuMSB0byBhbnkgNjggdmlhICRwaWYgYnJpZGdlZAoKIyBSZWplY3QgJiBM b2cgYWxsIHVuYXV0aG9yaXplZCBpbmNvbWluZyBjb25uZWN0aW9ucyBmcm9tIHRo ZSBwdWJsaWMgSW50ZXJuZXQKJGNtZCA0MDAgZGVueSBsb2cgYWxsIGZyb20gYW55 IHRvIGFueSB2aWEgJHBpZiBicmlkZ2VkCgojIEV2ZXJ5dGhpbmcgZWxzZSBpcyBk ZW5pZWQgYnkgZGVmYXVsdAokY21kIDk5OSBkZW55IGxvZyBhbGwgZnJvbSBhbnkg dG8gYW55Cg== ------------YvCboJyJeV8VGPuvOTohgh--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.s53lqzxsipwu61>