From owner-freebsd-pf@FreeBSD.ORG Fri Nov 18 17:01:42 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA7AC16A41F for ; Fri, 18 Nov 2005 17:01:41 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: from mail01.bsdmail.net (mail01.bsdmail.net [64.243.181.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id B92F643E3A for ; Fri, 18 Nov 2005 17:01:00 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: (qmail 60384 invoked by uid 89); 18 Nov 2005 17:00:08 -0000 Received: by simscan 1.1.0 ppid: 60318, pid: 60335, t: 6.7743s scanners: attach: 1.1.0 clamav: 0.85.1/m:32/d:941 spam: 3.0.2 Received: from unknown (HELO ?64.243.181.151?) (david@icuhost.net@64.243.181.151) by mail01.bsdmail.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 18 Nov 2005 17:00:01 -0000 Message-ID: <437E088F.7080809@wombatsweb.com> Date: Fri, 18 Nov 2005 11:59:59 -0500 From: David Pierron User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mail01.bsdmail.net X-Spam-Level: X-Spam-Status: No, score=-5.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.0.2 Subject: Best practices for service provider? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Nov 2005 17:01:42 -0000 This is a loaded question so please bear with me. I could really use the advice/help. I am coming from a FreeBSD 4.9 IPLess IPFW Bridging Firewall ... I had followed the directions from the FreeBSD Handbook ... Recently it crashed, so I had to rebuild it, uhm ... quickly ... This time I decided to include a 3rd NIC so that I could get the nightly emails and pay a bit better attention to its status ... It is working, but giving me some errors about arp: xx:xx:xx:xx:xx:xx is using my IP address my.c.class.xx! I have been scouring the Internet for information, and I decided to give PF a try ... I installed OpenBSD 3.8 but didn't like its CLI interface ... Not that I use a GUI, I don't ... I just hop around much better on FreeBSD ... I drew a picture of what I am envisioning as a firewall solution for me here: http://www.davidpierron.com/img/net-map.jpg I installed FreeBSD 6.0 and cvsup'd ports and src ... put the following into GENERIC: # to allow bridge support device if_bridge #PF device pf device pflog device pfsync #ALTQ options ALTQ options ALTQ_CBQ # Class Bases Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) #options ALTQ_NOPCC # Required for SMP build # other stuff options IPSTEALTH options HZ=1000 I put the following into rc.conf: defaultrouter="my.c.class.1" hostname="firewall.foo.org" ifconfig_xl0="inet my.c.class.2 netmask 255.255.255.0" usbd_enable="NO" sendmail_enable="NO" cloned_interfaces="bridge0" # create a bridge ifconfig_bridge0="addm rl0 addm rl1" # set bridge to use particular NICs #gateway_enable="YES" pf_enable="YES" # Enable PF (load module if required) pf_rules="/etc/pf.conf" # rules definition file for pf pf_flags="" # additional flags for pfctl startup pflog_enable="YES" # start pflogd(8) pflog_logfile="/var/log/pflog" # where pflogd should store the logfile pflog_flags="" # additional flags for pflogd startup ... and into sysctl.conf: net.link.bridge.pfil_bridge=1 # enables packet filtering on bridge net.link.bridge.pfil_member=1 # enables packet filtering on in and out interfaces #net.inet.ip.forwarding=1 # instead of gateway_enable in rc.conf? I am running into one of two things ... Trying to find information that isn't widely available yet, or trying to figure this out from old posts that don't apply anymore ... The other thing going against me is that I haven't seen anything that resembles my setup ... I am not running any NAT ... I am using real world routable IP addresses ... I am assuming I need a 3rd NIC to be separate from the firewall ... From my recent readings of this lists archives, it doesn't seem that I would want to run a bridge ... It won't allow me to keep state ... If this is the case, how do I not assign the network cards that will be doing the filtering no ip address? I tried some interesting combinations with ifconfig in rc.conf, but they didn't work ... When I thought everything was up and running correctly, I put this box between my router and switch but traffic didn't flow ... I could ping internally, but could not ping the router's address which is the gateway (x.x.x.1) ... I assumed that the internal pinging was working on the 3rd NIC with the real IP address ... My question is, can I use two NICs for PF to do firewalling on to put between the router and the switch and then plug the 3rd NIC in and have it act as a separate interface on the box, or should I simply use 2 NICs and assign them real IP addresses ... If I do that, will IPSTEALTH compiled into the kernel not show the presence of the filtering? I think I have successfully confused myself with redundant or old information out there on the 'net, so again ... any suggestions or advice on what I am trying to accomplish would be greatly appreciated. Thank you for reading, David Pierron