From owner-freebsd-pf@FreeBSD.ORG Fri Dec 2 13:11:52 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 877E916A422 for ; Fri, 2 Dec 2005 13:11:52 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: from mail01.bsdmail.net (mail01.bsdmail.net [64.243.181.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id A81FC43D7F for ; Fri, 2 Dec 2005 13:11:51 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: (qmail 48986 invoked by uid 89); 2 Dec 2005 13:11:50 -0000 Received: by simscan 1.1.0 ppid: 48974, pid: 48978, t: 2.2656s scanners: attach: 1.1.0 clamav: 0.85.1/m:32/d:941 spam: 3.0.2 Received: from unknown (HELO ?64.243.181.151?) (david@icuhost.net@64.243.181.151) by mail01.bsdmail.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 2 Dec 2005 13:11:48 -0000 Message-ID: <43904815.4070805@wombatsweb.com> Date: Fri, 02 Dec 2005 08:11:49 -0500 From: David Pierron User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mail01.bsdmail.net X-Spam-Level: X-Spam-Status: No, score=-5.7 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, HOT_NASTY autolearn=ham version=3.0.2 Subject: FBSD6 if_bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Dec 2005 13:11:52 -0000 I have been trying for some time to get if_bridge working on a FreeBSD 6.0 machine. I must be missing something simple. I have Googled, I have previously posted here, I've IRC'd and I have tried 3 different installations on different hardware ... I have read and reread the man pages for if_bridge and associated docs, I believe I made the correct choices. I have posted my edits so that it may jump out at someone and I can proceed on my merry way into ruleset building ... The configuration desired is a 3 NIC install ... 2 doing the bridge between the router and the network and the 3rd used for access I/O to the machine. When I am ready to try this new configuration, I pull the two CAT5 cables from the existing bridge (FBSD 4.11-p13 BRIDGE IPFW) and pop them into this new one. I see traffic being blocked using tcpdump -i pflog0 from machines within the network (fxp2), but nothing outside (fxp0 and fxp1). I see states being established and removed watching pftop but only for the internal network (fxp2). It appears the bridge is not working what-so-ever ... any ideas for me to try? I install from 6.0-RELEASE-i386-bootonly.iso using a Minimal install. Get base via FTP :: pkg_add -r cvsup-without-gui cvsup all source and ports and recompile the kernel editing GENERIC with: # Bridge support device if_bridge # PF support device pf device pflog device pfsync # ALTQ support options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_PRIQ # for SMP machine options ALTQ_NOPCC # other stuff #options IPSTEALTH options HZ=1000 config SMP ; cd ../compile/SMP ; make depend ; make ; make install reboot /etc/sysctl.conf: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Enable bridge and allow each NIC (member) in/out filtering for PF net.link.bridge.pfil_member=1 net.link.bridge.pfil_bridge=1 # # Enable forwarding #net.inet.ip.forwarding=1 # I have tried with this on as well but bridge should do forwarding - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - /etc/rc.conf: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - defaultrouter="my.c.class.xxx" hostname="foo.mydomain.org" ifconfig_fxp2="inet my.c.class.xxx netmask 255.255.255.0" # # Create Bridge cloned_interfaces="bridge0" ifconfig_bridge0="addm fxp0 addm fxp1 up" # # Enable PF firewall pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" # # Enable PF logging pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags="" # # Start Apache2 at startup apache2_enable="YES" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - /etc/pf.conf: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ext_if="fxp0" # replace with actual external interface name i.e., dc0 int_if="fxp1" # replace with actual internal interface name i.e., dc1 mgt_if="fxp2" # replace with actual internal interface name i.e., dc2 # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. scrub in all # localhost interface pass quick on lo0 all # Block everything and log it block log on $mgt_if all block log on $ext_if all block log on $int_if all # Internal interface pass out on $mgt_if all keep state pass in on $mgt_if proto tcp from any to $mgt_if port 80 keep state - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ifconfig output with cables unplugged from bridge: fxp0: flags=8902 mtu 1500 options=8 ether xx:xx:xx:xx:xx:xx media: Ethernet autoselect (none) status: no carrier fxp1: flags=8902 mtu 1500 options=8 ether xx:xx:xx:xx:xx:xx media: Ethernet autoselect (none) status: no carrier fxp2: flags=8843 mtu 1500 options=8 inet6 xxxx::xxx:xxxx:xxxx:xxxx%fxp2 prefixlen 64 scopeid 0x3 inet my.c.class.xxx netmask 0xffffff00 broadcast my.c.class.255 ether xx:xx:xx:xx:xx:xx media: Ethernet autoselect (100baseTX ) status: active plip0: flags=108810 mtu 1500 pfsync0: flags=0<> mtu 2020 pflog0: flags=141 mtu 33208 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet 127.0.0.1 netmask 0xff000000 bridge0: flags=8041 mtu 1500 ether xx:xx:xx:xx:xx:xx priority 32768 hellotime 2 fwddelay 15 maxage 20 member: fxp1 flags=3 member: fxp0 flags=3