PF+Bridge. A solution with ng_bridge.
Chris Dionissopoulos
dionch at freemail.gr
Fri Jan 21 06:52:47 PST 2005
Hi list,
Reading these issues(*1) for pf enabled bridge, I found an
pf+bridge (aka transparent firewall) solution which seems
to works. Its based on netgraph bridge module (ng_bridge).
Just try these steps , and send me a feedback:
1/ Load kernel modules:
# kldload pf.ko
# kldload ng_ether.ko
# kldload ng_eiface.ko
# kldload ng_bridge.ko
2/ Clean ipmask definitions from interfaces :
# ifconfig $lan delete
# ifconfig $wan delete
3/ Make a bridge with $wan,$lan interfaces:
(change $lan,$wan to comply your hardware)
# ngctl mkpeer $lan: bridge lower link0
# ngctl name $lan:lower br0
# ngctl connect $lan: br0 upper link1
# ngctl connect $wan: br0 lower link2
# ngctl connect $wan: br0 upper link3
4/ Enable your rules:
vi /etc/pf.conf:
~~~~~~~~~~
pass in on rl0 all
pass out on rl0 all
pass in on rl1 all
pass out on rl1 all
**Of course you can be more restrictive here with or without states.
# pfctl -evf /etc/pf.rules
Cheers,
Chris.
(*1):
http://lists.freebsd.org/pipermail/freebsd-pf/2005-January/000734.html
http://lists.freebsd.org/pipermail/freebsd-pf/2005-January/000744.html
____________________________________________________________________
http://www.freemail.gr - δωρεάν υπηρεσία ηλεκτρονικού ταχυδρομείου.
http://www.freemail.gr - free email service for the Greek-speaking.
More information about the freebsd-pf
mailing list