Date: Wed, 21 May 2014 10:26:24 +0700 From: Olivier Nicole <olivier2553@gmail.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: Olivier Nicole <on@cs.ait.ac.th>, Jim Pazarena <fquest@paz.bz>, "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: transparent bridge ~ firewall Message-ID: <CA%2Bg%2BBvg7XGiB593QoXaXn42q5FQra2Y06ehuP4zBJP-kjTrhng@mail.gmail.com> In-Reply-To: <20140520221724.P89611@sola.nimnet.asn.au> References: <mailman.73.1400587201.90245.freebsd-questions@freebsd.org> <20140520221724.P89611@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Ian, > > > Is it possible to configure fbsd so that it passes traffic thru two > > > nics "transparently", (with a third nic installed as the management IP)? > > > > > > So that firewall rules can be applied between those two transparent > > > nics? Don't want NAT, don't want routing. Just firewall "allow", "drop", > > > or re-direct. > I'm not clear on what 're-direct' means in the context of a transparent > bridge, if it's not doing any routing? But pressing on .. I don't know either, would have to ask the OP :) > > > I purchased a device which uses debian to do this. I would like to > > > see if I can duplicate the functions on FreeBSD, my OS of choice. > > > > I used to do that few years ago, using ip-firewall at that time > > instead of ipfw, I can't remember the reason why, I think it was the > > unavailability of layer 2 in IPFW at that time. > > If that was the reason, it must have been prior to Jan '94 when I built > a transparent filtering bridge box for a local community technology > centre using ipfw and dummynet on FreeBSD 4.8, later 4.10, between a > satellite gateway/NAT/proxy box - largely outside our control - and our > internal gateway / router for about a dozen machines, incl some wifi. I am sure that was prior 2004. Or maybe just around, I remember it had ipfw2. > All layer 2 except for the layer 3 management functions on the inside > interface; ie it only needed 2 NICs, but you can use 3 if you want :) > > > I have switched to zeroshell since because I needed captive portal too > > and neither monowall nor pf sense did offer captive portal on bridged > > intefaces when I did the change. > > Not cluey on captive portals, but we had a fairly extensive firewall > with dummynet shaping, plus local webserver/samba/etc, setup by a > colleague, also running from the bridge box .. all the client boxes just > ran from a switch. Captive portal is the authentication for outgoing users: you open any web page and get redirected to a login page, then the outgoing firewall is open for your IP. > > I am pretty sure that monowall and pfsense do offer bridged interfaces. > As does ipfw. I'd have to do some serious digging through backups to > provide configuration detail, and that was with the older bridge.ko but > will hunt if it might be useful. I recall at the time finding plenty on > the web and in the handbook, along with, of course, ipfw(8) and some > help from folks on -net, so it wasn't so difficult to get going well. > > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/ I am mentioning monowall and pfsense because they are build on FreeBSd and offer a simple and fully manageable configuration tool: for someone not really sure how to bridge interfaces, using a tool with a configuration interface may help. Bests, Olivier
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2Bg%2BBvg7XGiB593QoXaXn42q5FQra2Y06ehuP4zBJP-kjTrhng>