From owner-freebsd-pf@FreeBSD.ORG Sat Nov 19 19:10:06 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B8F5016A420 for ; Sat, 19 Nov 2005 19:10:06 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: from mail01.bsdmail.net (mail01.bsdmail.net [64.243.181.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4D3B43D6E for ; Sat, 19 Nov 2005 19:09:56 +0000 (GMT) (envelope-from david@wombatsweb.com) Received: (qmail 79494 invoked by uid 89); 19 Nov 2005 19:09:55 -0000 Received: by simscan 1.1.0 ppid: 79488, pid: 79490, t: 3.6746s scanners: attach: 1.1.0 clamav: 0.85.1/m:32/d:941 spam: 3.0.2 Received: from unknown (HELO ?64.243.181.151?) (david@icuhost.net@64.243.181.151) by mail01.bsdmail.net with (DHE-RSA-AES256-SHA encrypted) SMTP; 19 Nov 2005 19:09:51 -0000 Message-ID: <437F7880.708@wombatsweb.com> Date: Sat, 19 Nov 2005 14:09:52 -0500 From: David Pierron User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <437E088F.7080809@wombatsweb.com> <437E38EA.6050409@mantor.org> <200511182219.05951.soren3@gmail.com> In-Reply-To: <200511182219.05951.soren3@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mail01.bsdmail.net X-Spam-Level: X-Spam-Status: No, score=-5.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.0.2 Subject: Re: Best practices for service provider? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Nov 2005 19:10:07 -0000 Soren Worach on 11/18/2005 7:19 PM wrote: >On Friday 18 November 2005 18:26, Danny Fullerrton wrote: > > >>David Pierron wrote: >> >> >>>This is a loaded question so please bear with me. I could really use >>>the advice/help. >>> >>>I am coming from a FreeBSD 4.9 IPLess IPFW Bridging Firewall ... I >>>had followed the directions from the FreeBSD Handbook ... Recently it >>>crashed, so I had to rebuild it, uhm ... quickly ... >>> >>>This time I decided to include a 3rd NIC so that I could get the >>>nightly emails and pay a bit better attention to its status ... It is >>>working, but giving me some errors about arp: xx:xx:xx:xx:xx:xx is >>>using my IP address my.c.class.xx! I have been scouring the Internet >>>for information, and I decided to give PF a try ... I installed >>>OpenBSD 3.8 but didn't like its CLI interface ... Not that I use a >>>GUI, I don't ... I just hop around much better on FreeBSD ... >>> >>>I drew a picture of what I am envisioning as a firewall solution for >>>me here: >>>http://www.davidpierron.com/img/net-map.jpg >>> >>>I installed FreeBSD 6.0 and cvsup'd ports and src ... put the >>>following into GENERIC: >>> >>># to allow bridge support >>>device if_bridge >>> >>>#PF >>>device pf >>>device pflog >>>device pfsync >>> >>>#ALTQ >>>options ALTQ >>>options ALTQ_CBQ # Class Bases Queuing (CBQ) >>>options ALTQ_RED # Random Early Detection (RED) >>>options ALTQ_RIO # RED In/Out >>>options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) >>>options ALTQ_PRIQ # Priority Queuing (PRIQ) >>>#options ALTQ_NOPCC # Required for SMP build >>> >>># other stuff >>>options IPSTEALTH >>>options HZ=1000 >>> >>>I put the following into rc.conf: >>> >>>defaultrouter="my.c.class.1" >>>hostname="firewall.foo.org" >>>ifconfig_xl0="inet my.c.class.2 netmask 255.255.255.0" >>>usbd_enable="NO" >>>sendmail_enable="NO" >>> >>>cloned_interfaces="bridge0" # create a bridge >>>ifconfig_bridge0="addm rl0 addm rl1" # set bridge to use particular NICs >>>#gateway_enable="YES" >>> >>>pf_enable="YES" # Enable PF (load module if >>>required) >>>pf_rules="/etc/pf.conf" # rules definition file for pf >>>pf_flags="" # additional flags for pfctl startup >>>pflog_enable="YES" # start pflogd(8) >>>pflog_logfile="/var/log/pflog" # where pflogd should store the >>>logfile >>>pflog_flags="" # additional flags for pflogd >>>startup >>> >>>.. and into sysctl.conf: >>> >>>net.link.bridge.pfil_bridge=1 # enables packet filtering on bridge >>>net.link.bridge.pfil_member=1 # enables packet filtering on in and >>>out interfaces >>>#net.inet.ip.forwarding=1 # instead of gateway_enable in rc.conf? >>> >>>I am running into one of two things ... Trying to find information >>>that isn't widely available yet, or trying to figure this out from old >>>posts that don't apply anymore ... The other thing going against me >>>is that I haven't seen anything that resembles my setup ... I am not >>>running any NAT ... I am using real world routable IP addresses ... I >>>am assuming I need a 3rd NIC to be separate from the firewall ... >>> >>> >>You can use firewalled interface or bridge interface as normal interface >>too. It's only depending on your config. You'll find lots of stuff on >>google refering to a setup like yours but when searching for OpenBSD stuff. >> >> I have been using Google and searching ... I have not been successful in finding a HOW-TO or something similiar to help me configure this FreeBSD 6.0 machine the way it ought to be configured ... Many sites and spiders of mailing lists are outdated ... As stated above, I want to use FreeBSD for this solution ... >>>From my recent readings of this lists archives, it doesn't seem that I >>>would want to run a bridge ... It won't allow me to keep state ... >>>If this is the case, how do I not assign the network cards that will >>>be doing the filtering no ip address? I tried some interesting >>>combinations with ifconfig in rc.conf, but they didn't work ... When >>>I thought everything was up and running correctly, I put this box >>>between my router and switch but traffic didn't flow ... I could ping >>>internally, but could not ping the router's address which is the >>>gateway (x.x.x.1) ... I assumed that the internal pinging was working >>>on the 3rd NIC with the real IP address ... >>> >>> >>Statefull mode is working in bridge mode using OpenBSD PF. But I dont >>known if it's presently the case with the FreeBSD implementation. >> >> > >it _is_ the case, pf supports statefull with bridging. I'm using 6.0 since >betaX on a couple of setups like this. > > I found messages in this archive only months old that suggest that although state is displayed that it may not be reporting correctly ... these messages were from 12/2004 and Jan/2005, and looking at them again, it's possible that they weren't even talking about if_bridge ... >>>My question is, can I use two NICs for PF to do firewalling on to put >>>between the router and the switch and then plug the 3rd NIC in and >>>have it act as a separate interface on the box, or should I simply use >>>2 NICs and assign them real IP addresses ... If I do that, will >>>IPSTEALTH compiled into the kernel not show the presence of the >>>filtering? >>> >>> >>As I said, you could use this kind of setup (3 card to keep it simple >>logic) or ,while using 2 interface in bridge mode, use 1 of them with an >>internal ip address (bridge and standard). >> >> >> >>>I think I have successfully confused myself with redundant or old >>>information out there on the 'net, so again ... any suggestions or >>>advice on what I am trying to accomplish would be greatly appreciated. >>> >>> > >please post your pf.conf. > > Whoa ... we're not even there yet ... I am trying to get the hardware configured ... I am not clear as to the parameters required for the bridge or the options to allow IP Forwarding across the bridge and keeping the 3rd NIC separate ... I set up a simple pf.conf to block all traffic: scrub in all block out log on $ext_if all block in log on $ext_if all I saw no activity logged at all when I attached cables from the router and then to the switch ... >>>Thank you for reading, >>>David Pierron >>>_______________________________________________ >>> >>> >>You should begin by playing with Packet Filter while being in bridge >>mode and gradually including feature like the management ip/interface >>before going to far and not understanding. >> >>Danny Fullerton >> >> I think my initial problem when installing the 3 NICs and giving one an IP address is that they all use the default gateway ... Do I need to install the gateway just to the 3rd NIC somehow? (which I would call the management NIC) ... Should I remove "defaultrouter="x.x.x.1"" from rc.conf? I would have thought the bridge would live in his own space ... The bridge just needs to filter packets not caring about its own IP addresses ... I would be able to deny or throttle by destination IP, but the bridge itself should see traffic coming in, filter it based on the rules, and then pass it on if okay or drop it if not okay ... The outside world wouldn't know that there was an extra hardware appliance hop to their destination ... The assumption in using 3 NICs is that FreeBSD will run an IPLess stateful packet filter on the 2 NIC bridge, the 3rd NIC's traffic will eventually travel across that bridge as shown in the diagram I drew ... This has to be possible, but there must be some trick to it that I haven't grasped ... Not many setups or HOWTOs explain this sort of setup or idea ... Maybe I should have asked one question at a time? I just thought this was all encompassing ... the hardware setup supporting the PF machine ... David Pierron