From owner-freebsd-questions@FreeBSD.ORG  Wed Mar  8 13:13:03 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E778416A420
	for <freebsd-questions@freebsd.org>;
	Wed,  8 Mar 2006 13:13:03 +0000 (GMT)
	(envelope-from carpetsmoker@gmail.com)
Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.203])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D5FBA43D46
	for <freebsd-questions@freebsd.org>;
	Wed,  8 Mar 2006 13:13:02 +0000 (GMT)
	(envelope-from carpetsmoker@gmail.com)
Received: by zproxy.gmail.com with SMTP id 9so171374nzo
	for <freebsd-questions@freebsd.org>;
	Wed, 08 Mar 2006 05:13:01 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:date:to:subject:content-type:mime-version:message-id:user-agent:from;
	b=iInXAHezkVvhpHdBoqE83Tg+pXn6nxsVky6rQqxlMYpwZ4/IxSu5bquNhd496TqCYqV5ufTNL7F4Q9Cylm45zrONq2GXwtTjQW/pv5Z8YCL5FjckyoTUjnPFhflbuF4OGopy48tXpby16ssLwhpfekf8deiWDdT8BSyFoHeMD7c=
Received: by 10.37.22.14 with SMTP id z14mr2042754nzi;
	Wed, 08 Mar 2006 05:13:01 -0800 (PST)
Received: from anyhost.anywhere ( [80.126.94.163])
	by mx.gmail.com with ESMTP id 39sm1375777nzk.2006.03.08.05.13.00;
	Wed, 08 Mar 2006 05:13:01 -0800 (PST)
Date: Wed, 08 Mar 2006 14:12:25 -0000
To: freebsd-questions@freebsd.org
Content-Type: multipart/mixed; boundary=----------YvCboJyJeV8VGPuvOTohgh
MIME-Version: 1.0
Message-ID: <op.s53lqzxsipwu61@anyhost.anywhere>
User-Agent: Opera M2/8.50 (FreeBSD, build 1358)
From: Martin Tournoy <carpetsmoker@gmail.com>
Subject: Network bridge with IPFW, can't get it working
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2006 13:13:04 -0000

------------YvCboJyJeV8VGPuvOTohgh
Content-Type: text/plain; format=flowed; delsp=yes; charset=us-ascii
Content-Transfer-Encoding: 8bit

Here's the situation:
I work at a computer repair shop, as we all know viruses, ad-ware and  
other mal-ware is a huge problem in the windows world, and a lot of people  
come to us to have their pc's cleaned up.

Some of those programs spread themselves actively, or are used as "zombie  
computers", which is somewhat of a problem for us because it can infect  
other PCs on the net, also our ISP (temporarily) shut us down some time  
ago for security reasons.

We have a firewall on our router, but it only blocks incoming traffic from  
the net, which makes life a bit easyer because we don't have to open up  
ports for all kind of programs all the time.

Since we more or less need internet on infected PC's (to download  
virus-scanners, updates, etc.),  I'm trying to setup a bridge with a  
firewall (IPFW), which should separate filter any bad traffic before it  
goes to the internet.

Problem is, it doesn't work(which is secure, but not quite what I  
intended).

The bridge works fine, if I shut down IPFW (or tell IPFW to allow  
everything) I have network access, so no problems there...

If I scan for DHCP servers, It finds the server and DNS, but doesn't get  
an IP-adress (?!) for some reason, no matter what I do...

My rc.firewall is attached, I made it as simple as possible, complexity  
and spiffy features can always be added later, let's get the thing working  
first...
I would really appreciate it if someone looked over it, there are probably  
errors in there.

What the REAL problem is, is that I'm a real novice at firewalls, and some  
things really confuse me, more specifically:

- The 'bridged' keyword, does it HAVE to be added to every rule? or is it  
just recommended? or just specific rules?

- Which ports do I need to open? I think I have all I need now (DHCP, DNS,  
http, https, ping), maybe there's some hidden port I forgot?

- Should I use PF? (Is it easyer for a novice?)

- Should I just setup a separate LAN? Bridging seems simpler, but doesn't  
seem to be very common/well documented...

I don't think it matters, but just in case:
I'm using two 3Com 3C905B-TX NIC's (xl)

My uname -a is:
FreeBSD filtershit.ictwerkplaats.org 6.1-PRERELEASE FreeBSD 6.1-PRERELEASE  
#0: Wed Feb 22 12:47:58 UTC 2006      
carpetsmoker@.ictwerkplaats.org:/usr/obj/usr/src/sys/FILTERSHIT  i387
------------YvCboJyJeV8VGPuvOTohgh
Content-Disposition: attachment; filename=rc.firewall
Content-Type: application/octet-stream; name=rc.firewall
Content-Transfer-Encoding: Base64

IyEvYmluL3NoCgojIEJyaWRnZSwgcHJvdGVjdCBvbmUgc2lkZSAoeGwwKSBmcm9t
IHRoZSBvdGhlciAoeGwxKSwgcHJldmVudCBhbGwgdHJhZmljIGdvaW5nIGZyb20g
eGwxIHRvIHhsMC4KCiMgRmx1c2ggb3V0IHRoZSBsaXN0IGJlZm9yZSB3ZSBiZWdp
bi4KaXBmdyAtcSAtZiBmbHVzaAoKIyBTZXQgcnVsZXMgY29tbWFuZCBwcmVmaXgK
Y21kPSJpcGZ3IC1xIGFkZCIKcGlmPSJ4bDAiCgojIE5vIHJlc3RyaWN0aW9ucyBv
biBJbnNpZGUgTEFOIEludGVyZmFjZSBmb3IgcHJpdmF0ZSBuZXR3b3JrCiRjbWQg
MDA1IGFsbG93IGFsbCBmcm9tIGFueSB0byBhbnkgdmlhIHhsMSBicmlkZ2VkCgoj
IE5vIHJlc3RyaWN0aW9ucyBvbiBMb29wYmFjayBJbnRlcmZhY2UKJGNtZCAwMTAg
YWxsb3cgYWxsIGZyb20gYW55IHRvIGFueSB2aWEgbG8wCgojIEFsbG93IG91dCBh
Y2Nlc3MgdG8gbXkgSVNQJ3MgRG9tYWluIG5hbWUgc2VydmVyLgokY21kIDAyMCBh
bGxvdyB0Y3AgZnJvbSBhbnkgdG8gMTk0LjEwOS42LjY2IDUzIHZpYSAkcGlmIGJy
aWRnZWQKJGNtZCAwMjEgYWxsb3cgdWRwIGZyb20gYW55IHRvIDE5NC4xMDkuNi42
NiA1MyB2aWEgJHBpZiBicmlkZ2VkCgojIEFsbG93IG91dCBhY2Nlc3MgdG8gbXkg
SVNQJ3MgREhDUCBzZXJ2ZXIgZm9yIGNhYmxlL0RTTCBjb25maWd1cmF0aW9ucy4K
JGNtZCAwMzAgYWxsb3cgdWRwIGZyb20gYW55IHRvIDE5Mi4xNjguMTAwLjEgNjcg
dmlhICRwaWYgYnJpZGdlZAokY21kIDAzMSBhbGxvdyB1ZHAgZnJvbSBhbnkgdG8g
MTkyLjE2OC4xMDAuMSA2OCB2aWEgJHBpZiBicmlkZ2VkCgojIEFsbG93IG91dCBu
b24tc2VjdXJlIHN0YW5kYXJkIHd3dyBmdW5jdGlvbgokY21kIDA0MCBhbGxvdyB0
Y3AgZnJvbSBhbnkgdG8gYW55IDgwIHZpYSAkcGlmIGJyaWRnZWQKCiMgQWxsb3cg
b3V0IHNlY3VyZSB3d3cgZnVuY3Rpb24gaHR0cHMgb3ZlciBUTFMgU1NMCiRjbWQg
MDUwIGFsbG93IHRjcCBmcm9tIGFueSB0byBhbnkgNDQzIHZpYSAkcGlmIGJyaWRn
ZWQKCiMgQWxsb3cgcGluZwokY21kIDA4MCBhbGxvdyBpY21wIGZyb20gYW55IHRv
IGFueSB2aWEgJHBpZiBicmlkZ2VkCgojIERlbnkgYW55IGxhdGUgYXJyaXZpbmcg
cGFja2V0cwokY21kIDMzMCBkZW55IGFsbCBmcm9tIGFueSB0byBhbnkgZnJhZyBp
biB2aWEgJHBpZgoKIyBBbGxvdyB0cmFmZmljIGZyb20gbXkgREhDUCBzZXJ2ZXIu
CiRjbWQgMzYwIGFsbG93IHRjcCBmcm9tIDE5Mi4xNjguMTAwLjEgdG8gYW55IDY4
IHZpYSAkcGlmIGJyaWRnZWQKJGNtZCAzNjEgYWxsb3cgdWRwIGZyb20gMTkyLjE2
OC4xMDAuMSB0byBhbnkgNjggdmlhICRwaWYgYnJpZGdlZAoKIyBSZWplY3QgJiBM
b2cgYWxsIHVuYXV0aG9yaXplZCBpbmNvbWluZyBjb25uZWN0aW9ucyBmcm9tIHRo
ZSBwdWJsaWMgSW50ZXJuZXQKJGNtZCA0MDAgZGVueSBsb2cgYWxsIGZyb20gYW55
IHRvIGFueSB2aWEgJHBpZiBicmlkZ2VkCgojIEV2ZXJ5dGhpbmcgZWxzZSBpcyBk
ZW5pZWQgYnkgZGVmYXVsdAokY21kIDk5OSBkZW55IGxvZyBhbGwgZnJvbSBhbnkg
dG8gYW55Cg==

------------YvCboJyJeV8VGPuvOTohgh--