Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
transparent bridge ~ firewall
0 views
Skip to first unread message
Jim Pazarena
May 20, 2014, 12:41:50 AM5/20/14
to
Is it possible to configure fbsd so that it passes traffic thru two
nics "transparently", (with a third nic installed as the management IP)?
So that firewall rules can be applied between those two transparent
nics? Don't want NAT, don't want routing. Just firewall "allow", "drop",
or re-direct.
I purchased a device which uses debian to do this. I would like to
see if I can duplicate the functions on FreeBSD, my OS of choice.
Thanks.
--
Jim Pazarena fqu...@paz.bz
_______________________________________________
freebsd-...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"
nics "transparently", (with a third nic installed as the management IP)?
So that firewall rules can be applied between those two transparent
nics? Don't want NAT, don't want routing. Just firewall "allow", "drop",
or re-direct.
I purchased a device which uses debian to do this. I would like to
see if I can duplicate the functions on FreeBSD, my OS of choice.
Thanks.
--
Jim Pazarena fqu...@paz.bz
_______________________________________________
freebsd-...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questi...@freebsd.org"
Olivier Nicole
May 20, 2014, 12:59:27 AM5/20/14
to
Jim,
> Is it possible to configure fbsd so that it passes traffic thru two
> nics "transparently", (with a third nic installed as the management IP)?
>
> So that firewall rules can be applied between those two transparent
> nics? Don't want NAT, don't want routing. Just firewall "allow", "drop",
> or re-direct.
>
> I purchased a device which uses debian to do this. I would like to
> see if I can duplicate the functions on FreeBSD, my OS of choice.
I used to do that few years ago, using ip-firewall at that time
instead of ipfw, I can't remember the reason why, I think it was the
unavailability of layer 2 in IPFW at that time.
I have switched to zeroshell since because I needed captive portal too
and neither monowall nor pf sense did offer captive portal on bridged
intefaces when I did the change.
I am pretty sure that monowall and pfsense do offer bridged interfaces.
Best regards,
Olivier
> Is it possible to configure fbsd so that it passes traffic thru two
> nics "transparently", (with a third nic installed as the management IP)?
>
> So that firewall rules can be applied between those two transparent
> nics? Don't want NAT, don't want routing. Just firewall "allow", "drop",
> or re-direct.
>
> I purchased a device which uses debian to do this. I would like to
> see if I can duplicate the functions on FreeBSD, my OS of choice.
instead of ipfw, I can't remember the reason why, I think it was the
unavailability of layer 2 in IPFW at that time.
I have switched to zeroshell since because I needed captive portal too
and neither monowall nor pf sense did offer captive portal on bridged
intefaces when I did the change.
I am pretty sure that monowall and pfsense do offer bridged interfaces.
Best regards,
Olivier
Ian Smith
May 20, 2014, 9:43:27 AM5/20/14
to
In freebsd-questions Digest, Vol 520, Issue 2, Message: 19
On Tue, 20 May 2014 11:59:27 +0700 Olivier Nicole <olivier...@cs.ait.ac.th> wrote:
Hi there Olivier,
bridge, if it's not doing any routing? But pressing on ..
> > I purchased a device which uses debian to do this. I would like to
> > see if I can duplicate the functions on FreeBSD, my OS of choice.
>
> I used to do that few years ago, using ip-firewall at that time
> instead of ipfw, I can't remember the reason why, I think it was the
> unavailability of layer 2 in IPFW at that time.
If that was the reason, it must have been prior to Jan '94 when I built
a transparent filtering bridge box for a local community technology
centre using ipfw and dummynet on FreeBSD 4.8, later 4.10, between a
satellite gateway/NAT/proxy box - largely outside our control - and our
internal gateway / router for about a dozen machines, incl some wifi.
All layer 2 except for the layer 3 management functions on the inside
interface; ie it only needed 2 NICs, but you can use 3 if you want :)
> I have switched to zeroshell since because I needed captive portal too
> and neither monowall nor pf sense did offer captive portal on bridged
> intefaces when I did the change.
Not cluey on captive portals, but we had a fairly extensive firewall
with dummynet shaping, plus local webserver/samba/etc, setup by a
colleague, also running from the bridge box .. all the client boxes just
ran from a switch.
> I am pretty sure that monowall and pfsense do offer bridged interfaces.
As does ipfw. I'd have to do some serious digging through backups to
provide configuration detail, and that was with the older bridge.ko but
will hunt if it might be useful. I recall at the time finding plenty on
the web and in the handbook, along with, of course, ipfw(8) and some
help from folks on -net, so it wasn't so difficult to get going well.
http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/
Of course m0n0wall or pfsense may do everything needed, I wouldn't know.
> Best regards,
>
> Olivier
cheers, Ian
On Tue, 20 May 2014 11:59:27 +0700 Olivier Nicole <olivier...@cs.ait.ac.th> wrote:
Hi there Olivier,
> Jim,
>
> > Is it possible to configure fbsd so that it passes traffic thru two
> > nics "transparently", (with a third nic installed as the management IP)?
> >
> > So that firewall rules can be applied between those two transparent
> > nics? Don't want NAT, don't want routing. Just firewall "allow", "drop",
> > or re-direct.
I'm not clear on what 're-direct' means in the context of a transparent
>
> > Is it possible to configure fbsd so that it passes traffic thru two
> > nics "transparently", (with a third nic installed as the management IP)?
> >
> > So that firewall rules can be applied between those two transparent
> > nics? Don't want NAT, don't want routing. Just firewall "allow", "drop",
> > or re-direct.
bridge, if it's not doing any routing? But pressing on ..
> > I purchased a device which uses debian to do this. I would like to
> > see if I can duplicate the functions on FreeBSD, my OS of choice.
>
> I used to do that few years ago, using ip-firewall at that time
> instead of ipfw, I can't remember the reason why, I think it was the
> unavailability of layer 2 in IPFW at that time.
a transparent filtering bridge box for a local community technology
centre using ipfw and dummynet on FreeBSD 4.8, later 4.10, between a
satellite gateway/NAT/proxy box - largely outside our control - and our
internal gateway / router for about a dozen machines, incl some wifi.
All layer 2 except for the layer 3 management functions on the inside
interface; ie it only needed 2 NICs, but you can use 3 if you want :)
> I have switched to zeroshell since because I needed captive portal too
> and neither monowall nor pf sense did offer captive portal on bridged
> intefaces when I did the change.
with dummynet shaping, plus local webserver/samba/etc, setup by a
colleague, also running from the bridge box .. all the client boxes just
ran from a switch.
> I am pretty sure that monowall and pfsense do offer bridged interfaces.
provide configuration detail, and that was with the older bridge.ko but
will hunt if it might be useful. I recall at the time finding plenty on
the web and in the handbook, along with, of course, ipfw(8) and some
help from folks on -net, so it wasn't so difficult to get going well.
http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/
Of course m0n0wall or pfsense may do everything needed, I wouldn't know.
> Best regards,
>
> Olivier
cheers, Ian
Ian Smith
May 20, 2014, 9:53:55 AM5/20/14
to
On Tue, 20 May 2014 23:43:27, Ian Smith wrote:
> > I used to do that few years ago, using ip-firewall at that time
> > instead of ipfw, I can't remember the reason why, I think it was the
> > unavailability of layer 2 in IPFW at that time.
>
> If that was the reason, it must have been prior to Jan '94 when I built
> a transparent filtering bridge box for a local community technology
> centre using ipfw and dummynet on FreeBSD 4.8, later 4.10, between a
Sorry, pardon my 'senior moment', or blame the 'flu .. 2004 of course!
> > I used to do that few years ago, using ip-firewall at that time
> > instead of ipfw, I can't remember the reason why, I think it was the
> > unavailability of layer 2 in IPFW at that time.
>
> If that was the reason, it must have been prior to Jan '94 when I built
> a transparent filtering bridge box for a local community technology
> centre using ipfw and dummynet on FreeBSD 4.8, later 4.10, between a
Olivier Nicole
May 20, 2014, 11:26:24 PM5/20/14
to
Ian,
> > > Is it possible to configure fbsd so that it passes traffic thru two
> > > nics "transparently", (with a third nic installed as the management IP)?
> > >
> > > So that firewall rules can be applied between those two transparent
> > > nics? Don't want NAT, don't want routing. Just firewall "allow", "drop",
> > > or re-direct.
> I'm not clear on what 're-direct' means in the context of a transparent
> bridge, if it's not doing any routing? But pressing on ..
I don't know either, would have to ask the OP :)
> > > I purchased a device which uses debian to do this. I would like to
> > > see if I can duplicate the functions on FreeBSD, my OS of choice.
> >
> > I used to do that few years ago, using ip-firewall at that time
> > instead of ipfw, I can't remember the reason why, I think it was the
> > unavailability of layer 2 in IPFW at that time.
>
> If that was the reason, it must have been prior to Jan '94 when I built
> a transparent filtering bridge box for a local community technology
> centre using ipfw and dummynet on FreeBSD 4.8, later 4.10, between a
> satellite gateway/NAT/proxy box - largely outside our control - and our
> internal gateway / router for about a dozen machines, incl some wifi.
I am sure that was prior 2004. Or maybe just around, I remember it had ipfw2.
> All layer 2 except for the layer 3 management functions on the inside
> interface; ie it only needed 2 NICs, but you can use 3 if you want :)
>
> > I have switched to zeroshell since because I needed captive portal too
> > and neither monowall nor pf sense did offer captive portal on bridged
> > intefaces when I did the change.
>
> Not cluey on captive portals, but we had a fairly extensive firewall
> with dummynet shaping, plus local webserver/samba/etc, setup by a
> colleague, also running from the bridge box .. all the client boxes just
> ran from a switch.
Captive portal is the authentication for outgoing users: you open any
web page and get redirected to a login page, then the outgoing
firewall is open for your IP.
> > I am pretty sure that monowall and pfsense do offer bridged interfaces.
> As does ipfw. I'd have to do some serious digging through backups to
> provide configuration detail, and that was with the older bridge.ko but
> will hunt if it might be useful. I recall at the time finding plenty on
> the web and in the handbook, along with, of course, ipfw(8) and some
> help from folks on -net, so it wasn't so difficult to get going well.
>
> http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/
I am mentioning monowall and pfsense because they are build on FreeBSd
and offer a simple and fully manageable configuration tool: for
someone not really sure how to bridge interfaces, using a tool with a
configuration interface may help.
Bests,
Olivier
> > > Is it possible to configure fbsd so that it passes traffic thru two
> > > nics "transparently", (with a third nic installed as the management IP)?
> > >
> > > So that firewall rules can be applied between those two transparent
> > > nics? Don't want NAT, don't want routing. Just firewall "allow", "drop",
> > > or re-direct.
> I'm not clear on what 're-direct' means in the context of a transparent
> bridge, if it's not doing any routing? But pressing on ..
> > > I purchased a device which uses debian to do this. I would like to
> > > see if I can duplicate the functions on FreeBSD, my OS of choice.
> >
> > I used to do that few years ago, using ip-firewall at that time
> > instead of ipfw, I can't remember the reason why, I think it was the
> > unavailability of layer 2 in IPFW at that time.
>
> If that was the reason, it must have been prior to Jan '94 when I built
> a transparent filtering bridge box for a local community technology
> centre using ipfw and dummynet on FreeBSD 4.8, later 4.10, between a
> satellite gateway/NAT/proxy box - largely outside our control - and our
> internal gateway / router for about a dozen machines, incl some wifi.
> All layer 2 except for the layer 3 management functions on the inside
> interface; ie it only needed 2 NICs, but you can use 3 if you want :)
>
> > I have switched to zeroshell since because I needed captive portal too
> > and neither monowall nor pf sense did offer captive portal on bridged
> > intefaces when I did the change.
>
> Not cluey on captive portals, but we had a fairly extensive firewall
> with dummynet shaping, plus local webserver/samba/etc, setup by a
> colleague, also running from the bridge box .. all the client boxes just
> ran from a switch.
web page and get redirected to a login page, then the outgoing
firewall is open for your IP.
> > I am pretty sure that monowall and pfsense do offer bridged interfaces.
> As does ipfw. I'd have to do some serious digging through backups to
> provide configuration detail, and that was with the older bridge.ko but
> will hunt if it might be useful. I recall at the time finding plenty on
> the web and in the handbook, along with, of course, ipfw(8) and some
> help from folks on -net, so it wasn't so difficult to get going well.
>
> http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/
and offer a simple and fully manageable configuration tool: for
someone not really sure how to bridge interfaces, using a tool with a
configuration interface may help.
Bests,
Olivier
Ian Smith
May 21, 2014, 11:55:51 AM5/21/14
to
On Wed, 21 May 2014 10:26:24 +0700, Olivier Nicole wrote:
> > > > So that firewall rules can be applied between those two transparent
> > > > nics? Don't want NAT, don't want routing. Just firewall "allow", "drop",
> > > > or re-direct.
> > I'm not clear on what 're-direct' means in the context of a transparent
> > bridge, if it's not doing any routing? But pressing on ..
>
> I don't know either, would have to ask the OP :)
I kinda thought I was - but should have preceded that with [Jim] :)
> > > > So that firewall rules can be applied between those two transparent
> > > > nics? Don't want NAT, don't want routing. Just firewall "allow", "drop",
> > > > or re-direct.
> > I'm not clear on what 're-direct' means in the context of a transparent
> > bridge, if it's not doing any routing? But pressing on ..
>
> I don't know either, would have to ask the OP :)
> > satellite gateway/NAT/proxy box - largely outside our control - and our
> > internal gateway / router for about a dozen machines, incl some wifi.
>
> I am sure that was prior 2004. Or maybe just around, I remember it had ipfw2.
back then, needed compiling into kernel and some arp magic. Anyway this
is way too much nostalgia for many, I expect ..
> > > I have switched to zeroshell since because I needed captive portal too
> > > and neither monowall nor pf sense did offer captive portal on bridged
> > > intefaces when I did the change.
for small boxes like PCengines, Soekris and such, and considered pfsense
to replace a Linux IPCop router more recently, but I'm about done being
a volunteer sysadmin these days, and never came across zeroshell.
> > Not cluey on captive portals, but we had a fairly extensive firewall
> > with dummynet shaping, plus local webserver/samba/etc, setup by a
> > colleague, also running from the bridge box .. all the client boxes just
> > ran from a switch.
>
> Captive portal is the authentication for outgoing users: you open any
> web page and get redirected to a login page, then the outgoing
> firewall is open for your IP.
cats went largely unherded; they couln't get into too much mischief on a
256kbps sat down / 128kbps ISDN up link, in a small rural town otherwise
limited to 56kbps dialup - though in retrospect it would've been useful.
> > > I am pretty sure that monowall and pfsense do offer bridged interfaces.
> > As does ipfw. I'd have to do some serious digging through backups to
> > http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/
>
> I am mentioning monowall and pfsense because they are build on FreeBSd
> and offer a simple and fully manageable configuration tool: for
> someone not really sure how to bridge interfaces, using a tool with a
> configuration interface may help.
Indeed, agreed. Not hard to install and evaluate either fairly quickly.
>
> I am mentioning monowall and pfsense because they are build on FreeBSd
> and offer a simple and fully manageable configuration tool: for
> someone not really sure how to bridge interfaces, using a tool with a
> configuration interface may help.
cheers, Ian
Brian W.
May 21, 2014, 12:28:22 PM5/21/14
to
Pfsense comes to mind as a good way to do this. Dummynet is also an option.
Bw
Bw
Christopher Hilton
May 27, 2014, 9:30:42 PM5/27/14
to
On May 20, 2014, at 12:41 AM, Jim Pazarena <fqu...@paz.bz> wrote:
> Is it possible to configure fbsd so that it passes traffic thru two
> nics "transparently", (with a third nic installed as the management IP)?
>
> So that firewall rules can be applied between those two transparent
> nics? Don't want NAT, don't want routing. Just firewall "allow", "drop",
> or re-direct.
>
> I purchased a device which uses debian to do this. I would like to
> see if I can duplicate the functions on FreeBSD, my OS of choice.
>
FreeBSD may be able to do this by building a bridge device between two interfaces and then using pf on the individual interfaces. I'm not 100% on the capabilities of FreeBSD's bridge devices. I do this on OpenBSD and it works very well.
> Is it possible to configure fbsd so that it passes traffic thru two
> nics "transparently", (with a third nic installed as the management IP)?
>
> So that firewall rules can be applied between those two transparent
> nics? Don't want NAT, don't want routing. Just firewall "allow", "drop",
> or re-direct.
>
> I purchased a device which uses debian to do this. I would like to
> see if I can duplicate the functions on FreeBSD, my OS of choice.
>
-- Chris
0 new messages