Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 19 Apr 2005 01:53:21 -0500
From:      Ryan Stark <syah@io.com>
To:        freebsd-pf@freebsd.org
Subject:   Re: pf + bridge
Message-ID:  <20050419015321.2b893054.syah@io.com>
In-Reply-To: <20050418220237.GJ867@chimie.u-strasbg.fr>
References:  <72c3a957050411062060eea5cc@mail.gmail.com> <20050418220237.GJ867@chimie.u-strasbg.fr>
next in thread | previous in thread | raw e-mail | index | archive | help 

[-- Attachment #1 --]
On Tue, 19 Apr 2005 00:02:37 +0200
Guy Brand <gb@isis.u-strasbg.fr> wrote:

> On 11 April at 13:20, Sergey Lyubka wrote:
> 
> > I am trying to build a transparent filtering box.
> > Box is running freebsd 5.4, pf and bridge, this is
> > the setup:
> 
>   FreeBSD has no support for pf in its bridge code. Neither has it
>   IPv6 support.
> 
I have been using using FreeBSD & pf as a transparent bridge since 5.2.
(Before that, I was using OpenBSD & pf)

Mine looks something like this:

in
  |
  | fxp0, 0.0.0.0
 -----
|     |
|     |--- fxp1, (internal admin interface)
|     |
 -----
  |
  | fxp1, 0.0.0.0

cat /etc/sysctl.conf

#bridging enable for fxp0,fxp1
net.link.ether.bridge.config=fxp0:0,fxp1:0
net.link.ether.bridge.enable=1

cat rc.conf

pflog_enable="YES"    
# Set to YES to enable packet filter logging

pf_rules="/etc/host.pf.conf"  
# rules definition file for pf. different than default. mergemaster
# likes to clobber default

pflog_enable="YES"    
# Set to YES to enable packet filter logging



ifconfig

fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500 options=48<VLAN_MTU,POLLING>
        ether 00:90:27:59:03:71
        media: Ethernet autoselect (10baseT/UTP)
        status: active
fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu
1500 options=48<VLAN_MTU,POLLING>
        ether 00:a0:c9:d8:8f:b1
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

slightly dated, but fully functional <scrubbed> ruleset can be found
here:

http://www.io.com/sirius/pf.conf-3.3.example

Hope that might clear up any confusion.

With regards to Sergey's original question; I have not
played with the web proxy on the bridge, however I have used the
ftp proxy module on my NAT- gateway machine with no problems. Maybe
using there would work better?

-- 
Ryan Stark | syah io com
BOFH excuse #365:

parallel processors running perpendicular today


[-- Attachment #2 --]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (FreeBSD)

iD8DBQFCZKrhzETXYDWf4IIRAil4AJwJGlObJDre5G0IR7HlgSEZQCB4/ACg1z2N
eahCdf9Wpqoo+93nkptMnFc=
=oBhc
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050419015321.2b893054.syah>