Date: Sat, 20 Dec 2008 01:31:48 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Olivier Nicole <on@cs.ait.ac.th> Cc: freebsd-questions@freebsd.org, khoogc@singnet.com.sg Subject: Re: bridge ipfw also protect set Message-ID: <20081220004834.L29108@sola.nimnet.asn.au> In-Reply-To: <20081219101354.17F9C10656D8@hub.freebsd.org> References: <20081219101354.17F9C10656D8@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 19 Dec 2008 10:19:31 +0700 (ICT) Olivier Nicole <on@cs.ait.ac.th> wrote: [khoogc@singnet.com.sg wrote:] > > I want to give internet connectivity to a pc behind my Freebsd, which is > > connected to an aDSL. I know I can add another card to my set and use > > bridge+IPFW so that the behind pc is firewalled. But will this setup > > also ensure that my Freebsd set is firewalled? Could now figure it out > > reading the book and article. > > You don't want to use bridge! Certainly true in this instance. > 1) as far as I remember, ipfw works poorly with bridge: it would > filter only based on layer 2, not based on IP (need to confirm). Not true. I've managed a filtering bridge (also providing web and samba servers) with ipfw+dummynet for 5+ years since FreeBSD 4.8, and it works very well indeed. You can filter at layer 2 or 3, bridged and unbridged traffic, though you can only filter bridged traffic that's coming 'in'. > 2) bridge means that packets traverse the FreeBSD machine without any > modification (think of the bridge like a 2 ports Ethernet > switch). Unless you use and ADSL modem (but then you can use a > switch and connect your PC and your FreeBSD box each on one port of > the switch) it will not work. > > If your FreeBSD machine is in charge of making the ADSL connection, > it will not work. Not as a bridge, no. > 3) as suggested in the prvious reply, you need some NAT and some > routing in your FreeBSD machine. Routing is not bridge. The 'simple' ruleset in rc.firewall provides a good basic setup to protect a small network as described, including the router of course. You'll want to add a couple of rules allowing some ICMP traffic, remove rules for inbound DNS and web if you're not running those servers, etc. Read ipfw(8) about 10 times, largely ignore the current ipfw section in the handbook, and prosper .. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081220004834.L29108>