From owner-freebsd-questions Tue Mar 11 6: 5:48 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9184B37B401 for ; Tue, 11 Mar 2003 06:05:46 -0800 (PST) Received: from diana.northnetworks.ca (att-ws20.switchview.com [216.13.70.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C6B943FBD for ; Tue, 11 Mar 2003 06:05:45 -0800 (PST) (envelope-from iaccounts@northnetworks.ca) Received: from localhost (iaccounts@localhost) by diana.northnetworks.ca (8.11.6/8.11.6) with ESMTP id h2BE5iA73312; Tue, 11 Mar 2003 09:05:44 -0500 (EST) (envelope-from iaccounts@northnetworks.ca) Date: Tue, 11 Mar 2003 09:05:44 -0500 (EST) From: IAccounts To: "Dave [Hawk-Systems]" Cc: freebsd-questions Subject: Re: transparent ipfw In-Reply-To: Message-ID: <20030311085642.W66368-100000@diana.northnetworks.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > Been browsing for a bit (knowing I will get some rtfm responses from this) but > havnt come across a solid answer for this. Most solutions involve NAT or some > other non-routable ip block type of solution. > > Have the following (192.168.100.0/24 used in place of routable addresses) > > - Internet connection coming into port 1 of Cisco switch(switch address > 192.168.100.1). > - Other FreeBSD servers(192.168.100.2 - 192.168.100.252) connected to various > ports on the switch using the switch as the gateway device. > - Other networks(192.168.101.0/24 etc...) connected to the switch which is > bridging them over to the internet connection out of port 1. > > Wish to place a FreeBSD server in front of the switch to count traffic to and > from various IP addresses for the entire network. > > NIC1 on the FreeBSD box would go to the Internet Connection > NIC2 on the FreeBSD box would go to the switch. > > All addresses used are routable(3 /24 blocks will be coming down to NIC1), and > all addresses/packets should be passed through without any NAT or other > readdressing taking place. Aside from telnetting into the box itself, it doesn't > need any IP addresses except for whatever is needed for the above setup. > > Comments appreciated, this would be my first implementation of ipfw / fw rules > in general using a FreeBSD box. In your kernel: options BRIDGE options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=xx # where xx == any number In /etc/sysctl.conf net.link.ether.bridge net.link.ether.bridge_ipfw No IP's needed now. You could put one on the switch side of the box, for ssh access. Then your IP's can be placed directly on the servers themselves. This setup (bridged) is great because if for some reason the bridge fails, or it needs to be taken offline, you can pull the wire from the bridge, plug it back into the switch and your immediatly back in business. (of course less your firewall). If you need help with this, I will be happy to give you more info. I have this exact setup in two places at this ISP I work for, plus I use it at home to protect the integrity of my wireless lan (this one is running IPSec however). What first took me months of R&D to implement, now takes me minutes. Steve > > Dave > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message