Date: Tue, 20 May 2014 23:43:27 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Olivier Nicole <olivier.nicole@cs.ait.ac.th> Cc: Jim Pazarena <fquest@paz.bz>, freebsd-questions@freebsd.org Subject: Re: transparent bridge ~ firewall Message-ID: <20140520221724.P89611@sola.nimnet.asn.au> In-Reply-To: <mailman.73.1400587201.90245.freebsd-questions@freebsd.org> References: <mailman.73.1400587201.90245.freebsd-questions@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In freebsd-questions Digest, Vol 520, Issue 2, Message: 19 On Tue, 20 May 2014 11:59:27 +0700 Olivier Nicole <olivier.nicole@cs.ait.ac.th> wrote: Hi there Olivier, > Jim, > > > Is it possible to configure fbsd so that it passes traffic thru two > > nics "transparently", (with a third nic installed as the management IP)? > > > > So that firewall rules can be applied between those two transparent > > nics? Don't want NAT, don't want routing. Just firewall "allow", "drop", > > or re-direct. I'm not clear on what 're-direct' means in the context of a transparent bridge, if it's not doing any routing? But pressing on .. > > I purchased a device which uses debian to do this. I would like to > > see if I can duplicate the functions on FreeBSD, my OS of choice. > > I used to do that few years ago, using ip-firewall at that time > instead of ipfw, I can't remember the reason why, I think it was the > unavailability of layer 2 in IPFW at that time. If that was the reason, it must have been prior to Jan '94 when I built a transparent filtering bridge box for a local community technology centre using ipfw and dummynet on FreeBSD 4.8, later 4.10, between a satellite gateway/NAT/proxy box - largely outside our control - and our internal gateway / router for about a dozen machines, incl some wifi. All layer 2 except for the layer 3 management functions on the inside interface; ie it only needed 2 NICs, but you can use 3 if you want :) > I have switched to zeroshell since because I needed captive portal too > and neither monowall nor pf sense did offer captive portal on bridged > intefaces when I did the change. Not cluey on captive portals, but we had a fairly extensive firewall with dummynet shaping, plus local webserver/samba/etc, setup by a colleague, also running from the bridge box .. all the client boxes just ran from a switch. > I am pretty sure that monowall and pfsense do offer bridged interfaces. As does ipfw. I'd have to do some serious digging through backups to provide configuration detail, and that was with the older bridge.ko but will hunt if it might be useful. I recall at the time finding plenty on the web and in the handbook, along with, of course, ipfw(8) and some help from folks on -net, so it wasn't so difficult to get going well. http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/ Of course m0n0wall or pfsense may do everything needed, I wouldn't know. > Best regards, > > Olivier cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140520221724.P89611>