From owner-freebsd-questions@FreeBSD.ORG  Fri Dec 19 03:19:35 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DE753106564A
	for <freebsd-questions@freebsd.org>;
	Fri, 19 Dec 2008 03:19:35 +0000 (UTC) (envelope-from on@cs.ait.ac.th)
Received: from mail.cs.ait.ac.th (mail.cs.ait.ac.th [192.41.170.16])
	by mx1.freebsd.org (Postfix) with ESMTP id 659DF8FC1C
	for <freebsd-questions@freebsd.org>;
	Fri, 19 Dec 2008 03:19:35 +0000 (UTC) (envelope-from on@cs.ait.ac.th)
Received: from banyan.cs.ait.ac.th (banyan.cs.ait.ac.th [192.41.170.5])
	by mail.cs.ait.ac.th (8.13.1/8.13.1) with ESMTP id mBJ3HdWg074162
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Fri, 19 Dec 2008 10:17:39 +0700 (ICT)
	(envelope-from on@banyan.cs.ait.ac.th)
Received: (from on@localhost)
	by banyan.cs.ait.ac.th (8.14.2/8.12.11) id mBJ3JVqL084737;
	Fri, 19 Dec 2008 10:19:31 +0700 (ICT)
Date: Fri, 19 Dec 2008 10:19:31 +0700 (ICT)
Message-Id: <200812190319.mBJ3JVqL084737@banyan.cs.ait.ac.th>
From: Olivier Nicole <on@cs.ait.ac.th>
To: khoogc@singnet.com.sg
In-reply-to: <20081219020810.GA60027@localhost.gateway.2wire.net> (message
	from KHOO Guan Chen on Fri, 19 Dec 2008 10:08:10 +0800)
References: <20081219020810.GA60027@localhost.gateway.2wire.net>
X-Virus-Scanned: on CSIM by amavisd-milter (http://www.amavis.org/)
Cc: freebsd-questions@freebsd.org
Subject: Re: bridge ipfw also protect set
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Dec 2008 03:19:36 -0000

Hi,

> I want to give internet connectivity to a pc behind my Freebsd, which is 
> connected to an aDSL. I know I can add another card to my set and use 
> bridge+IPFW so that the behind pc is firewalled. But will this setup
> also ensure that my Freebsd set is firewalled? Could now figure it out
> reading the book and article.

You don't want to use bridge!

1) as far as I remember, ipfw works poorly with bridge: it would
   filter only based on layer 2, not based on IP (need to confirm).

2) bridge means that packets traverse the FreeBSD machine without any
   modification (think of the bridge like a 2 ports Ethernet
   switch). Unless you use and ADSL modem (but then you can use a
   switch and connect your PC and your FreeBSD box each on one port of
   the switch) it will not work.

   If your FreeBSD machine is in charge of making the ADSL connection,
   it will not work.

3) as suggested in the prvious reply, you need some NAT and some
   routing in your FreeBSD machine. Routing is not bridge.

Best regards,

Olivier