From owner-freebsd-pf@FreeBSD.ORG Fri Jan 21 14:52:47 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1727016A4CE for ; Fri, 21 Jan 2005 14:52:47 +0000 (GMT) Received: from smtp.freemail.gr (smtp.freemail.gr [213.239.180.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D43743D39 for ; Fri, 21 Jan 2005 14:52:46 +0000 (GMT) (envelope-from dionch@freemail.gr) Received: by smtp.freemail.gr (Postfix, from userid 101) id A6D50BC024; Fri, 21 Jan 2005 16:52:42 +0200 (EET) Received: from R3B (vdp3061.ath03.dsl.hol.gr [62.38.162.62])by smtp.freemail.gr (Postfix) with ESMTP id 63BB7BC023for ; Fri, 21 Jan 2005 16:52:41 +0200 (EET) Message-ID: <001401c4ffc8$c15965a0$0100000a@R3B> From: "Chris Dionissopoulos" To: Date: Fri, 21 Jan 2005 16:51:54 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Content-Type: text/plain;charset="iso-8859-7" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: PF+Bridge. A solution with ng_bridge. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Chris Dionissopoulos List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jan 2005 14:52:47 -0000 Hi list, Reading these issues(*1) for pf enabled bridge, I found an=20 pf+bridge (aka transparent firewall) solution which seems=20 to works. Its based on netgraph bridge module (ng_bridge). Just try these steps , and send me a feedback: 1/ Load kernel modules: # kldload pf.ko # kldload ng_ether.ko # kldload ng_eiface.ko # kldload ng_bridge.ko 2/ Clean ipmask definitions from interfaces : # ifconfig $lan delete # ifconfig $wan delete 3/ Make a bridge with $wan,$lan interfaces:=20 (change $lan,$wan to comply your hardware) # ngctl mkpeer $lan: bridge lower link0 # ngctl name $lan:lower br0 # ngctl connect $lan: br0 upper link1 # ngctl connect $wan: br0 lower link2 # ngctl connect $wan: br0 upper link3 4/ Enable your rules: vi /etc/pf.conf: ~~~~~~~~~~ pass in on rl0 all pass out on rl0 all pass in on rl1 all pass out on rl1 all **Of course you can be more restrictive here with or without states. # pfctl -evf /etc/pf.rules Cheers, Chris. (*1): http://lists.freebsd.org/pipermail/freebsd-pf/2005-January/000734.html http://lists.freebsd.org/pipermail/freebsd-pf/2005-January/000744.html ____________________________________________________________________ http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου. http://www.freemail.gr - free email service for the Greek-speaking.